Forum OpenACS Q&A: Re: OpenSSL, Host-Node Map and Subsites
At the moment, the mapped host simply has a DNS entry aliased to the primary host's IP and then the host-node-map takes over, but I don't see how this can work with SSL since the mapped host will need its own SSL key.
AFAIK, aolserver virtual hosting can't support multiple SSL certificates. There is only one aolserver instance running listening to 1 port. Per definition of the SSL protocol this port can handle only one certificate. At best this is a wildcard certificate which certifies *.domain-name.
You will have to run multiple aolserver instances at different IP addresses and/or different ports in order to use multiple SSL certificates.
Bart, I read in other threads that you were doing some research on AOLserver virtual hosting methods -- did you research this?
I sent e-mail to Scott asking about it.
Scott Goodwin's response:
OpenACS allows you to create subsites under the main site so that you can run multiple sites from the same code and database. For example:
With the OpenACS host-node-map utility, you can map any hostname to the subsite, hiding its relation to the main site. For example:
- Main Site: http://www.mainsite.com/
- Subsite: http://www.mainsite.com/my-subsite/
You could map
...where www.my-subsite.com and www.mainsite.com point to the same IP.
We are trying to determine the best way to enable SSL on subsites that use mapped hosts since each subsite/host will need its own certificate.
I was hoping nsopenssl 3.x would allow you to set up multiple drivers for an nsd so that you could use a the same IP address and port with a separate sslcontext and hostname. But, when I tested that, it didn't work in that it always used the last driver specified in the AOLserver config file.
Unfortunately, this isn't possible and it has to do with the SSL spec. When a client connects, the first thing that happens is the SSL handshake. Your server doesn't even know what URL, and hence, which subsite the connection is destined for until after the SSL handshake is done.
The only way to do what you want is to add multiple IP addresses to your ethernet card and assign each address to a different subsite. This way you can attach a cert on a subsite basis. nsd listens on a different address for each subsite and so knows which cert to use.
But, since the host-node-map, as I understand it, requires that all hosts point to the same IP, does that mean that SSL cannot be made to work for subsites using the host-node-map functionality?
If all the hosts were in the form of subsite1.mydomain.com and subsite2.mydomain.com, you could use a wildcard SSL cert, but that will not always be the case.
that is correct. Only subsites who are subdomains of the same parent domain in conjunction with a wildcard SSL certificate could be secured. However, I don't know if aolserver's virtual hosting supports wildcard certificates. I do know that Pound can. If aolserver doesn't support wildcard certificates with virtual hosting you could place pound in front of aolserver to handle the SSL connections on behalf of aolserver.
For example, would this work...?
1. Pound (or another proxy) handles https handshake for :
- www.mydomain1.com on external IP 126.96.36.199
- www.mydomain2.com on external IP 188.8.131.52
2. Internal DNS set up with both domains pointing to same IP:
- www.mydomain1.com on internal IP 192.168.0.1
- www.mydomain2.com on internal IP 192.168.0.1
3. AOLserver instance running www.mydomain1.com on 192.168.0.1
4. OpenACS configured to use host-node-map to map:
- www.mydomain2.com to www.mydomain1.com/mysubsite2/
5. Pound communicates with AOLsever using HTTP, not HTTPS,
but Pound can tell OpenACS if the external connection is
secure so OpenACS can enforce the require SSL on
registration/log in (probably with a little modification to
the OpenACS code)
I deleted my earlier post as I had misread your message.
Yes you can do this with Pound:
1. One Pound instance (p1) handles requests for www.mydomain1.com another (p2) for www.mydomain2.com. They handle both HTTP and HTTPS connections.
2. Both Pound instances proxy the same internal aolserver. All external requests are forwarded to aolserver as HTTP requests. Aolserver uses the header in the request to map the request to the appropriate sub-site.
3. Pound includes 'X-SSL-Request: true' to HTTPS requests forwarded to aolserver. Aolserver uses this information to detect HTTPS connections. I can provide modifications to the request processor to make this transparent to OpenACS.
There is no need to setup an internal DNS.
That would be great. Please let me know when you post the code. Thanks.