Forum OpenACS Q&A: Re: OpenACS with virtual hosting

Collapse
12: Re: OpenACS with virtual hosting (response to 1)
Posted by Richard Hamilton on 06/21/04 06:38 PM
Thanks Bart.

I have been trying to work out the best way to go about this because I really don't want all my openacs services being run by the same user (because then all the db passwords are visible to a single user in the config.tcl files if aolserver is compromised).

My only remaining concern is the fact the the Pound developers refer to reverse proxying multiple domains as a 'security kludge':

"This is NOT recommended (I personally believe that virtual hosts should be implemented in the back-end servers - putting this in a proxy is a major security kludge) but it works."

Why? What do they mean? Full extract below.

Quoted from http://www.apsis.ch/pound/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
VIRTUAL HOSTS (IN GENERAL)
Some people asked about the possibility of redirecting requests to back-ends as per some virtual hosts definition. While I believe this is not Pound's job, it can be done. As of version 0.10, Pound supports filtering requests based not only on the request URL, but also on the presence or absence of certain headers.

Let's assume that you have internal server 192.168.0.10 that is supposed to serve the needs of virtual host www.server0.com and 192.168.0.11 that serves www.server1.com. You want Pound to listen on address 1.2.3.4 and separate the requests to each host. The config file would look something like this:

        ListenHTTP  1.2.3.4,80

        UrlGroup    ".*"
        HeadRequire Host    ".*www.server0.com.*"
        BackEnd    192.168.0.10
        EndGroup

        UrlGroup    ".*"
        HeadRequire Host    ".*www.server1.com.*"
        BackEnd    192.168.0.11
        EndGroup

(add whatever else is necessary) or, if you want even safer filtering:

        ListenHTTP  1.2.3.4,80

        UrlGroup    ".*"
        HeadRequire Host    ".*www.server0.com.*"
        HeadDeny    Host    ".*www.server1.com.*"
        BackEnd    192.168.0.10
        EndGroup

        UrlGroup    ".*"
        HeadRequire Host    ".*www.server1.com.*"
        HeadDeny    Host    ".*www.server0.com.*"
        BackEnd    192.168.0.11
        EndGroup

This is NOT recommended (I personally believe that virtual hosts should be implemented in the back-end servers - putting this in a proxy is a major security kludge) but it works.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~