Forum OpenACS Q&A: Re: OpenSSL, Host-Node Map and Subsites

Collapse
Posted by James Thornton on
Yeah, I was just posting his response here for the archive.

But, since the host-node-map, as I understand it, requires that all hosts point to the same IP, does that mean that SSL cannot be made to work for subsites using the host-node-map functionality?

If all the hosts were in the form of subsite1.mydomain.com and subsite2.mydomain.com, you could use a wildcard SSL cert, but that will not always be the case.

Collapse
Posted by Bart Teeuwisse on
James,

that is correct. Only subsites who are subdomains of the same parent domain in conjunction with a wildcard SSL certificate could be secured. However, I don't know if aolserver's virtual hosting supports wildcard certificates. I do know that Pound can. If aolserver doesn't support wildcard certificates with virtual hosting you could place pound in front of aolserver to handle the SSL connections on behalf of aolserver.

/Bart

Collapse
Posted by James Thornton on
Ok, so if you must use a proxy, couldn't the proxy also enable you to use SSL with subsites that use separate, disparate domains, such as www.mydomain1.com and www.mydomain2.com (i.e. when a wildcard cert isn't an option)?

For example, would this work...?

1. Pound (or another proxy) handles https handshake for :
  - www.mydomain1.com on external IP 1.2.3.4
  - www.mydomain2.com on external IP 1.2.3.5
2. Internal DNS set up with both domains pointing to same IP:
  - www.mydomain1.com on internal IP 192.168.0.1
  - www.mydomain2.com on internal IP 192.168.0.1
3. AOLserver instance running www.mydomain1.com on 192.168.0.1
4. OpenACS configured to use host-node-map to map:
  - www.mydomain2.com to www.mydomain1.com/mysubsite2/
5. Pound communicates with AOLsever using HTTP, not HTTPS,
  but Pound can tell OpenACS if the external connection is
  secure so OpenACS can enforce the require SSL on
  registration/log in (probably with a little modification to
  the OpenACS code)

Collapse
Posted by Bart Teeuwisse on
James,

I deleted my earlier post as I had misread your message.

Yes you can do this with Pound:

1. One Pound instance (p1) handles requests for www.mydomain1.com another (p2) for www.mydomain2.com. They handle both HTTP and HTTPS connections.

2. Both Pound instances proxy the same internal aolserver. All external requests are forwarded to aolserver as HTTP requests. Aolserver uses the header in the request to map the request to the appropriate sub-site.

3. Pound includes 'X-SSL-Request: true' to HTTPS requests forwarded to aolserver. Aolserver uses this information to detect HTTPS connections. I can provide modifications to the request processor to make this transparent to OpenACS.

There is no need to setup an internal DNS.

/Bart

Collapse
Posted by James Thornton on
I can provide modifications to the request processor to make this transparent to OpenACS.

That would be great. Please let me know when you post the code. Thanks.