Forum OpenACS Q&A: Re: OpenSSL, Host-Node Map and Subsites
But, since the host-node-map, as I understand it, requires that all hosts point to the same IP, does that mean that SSL cannot be made to work for subsites using the host-node-map functionality?
If all the hosts were in the form of subsite1.mydomain.com and subsite2.mydomain.com, you could use a wildcard SSL cert, but that will not always be the case.
that is correct. Only subsites who are subdomains of the same parent domain in conjunction with a wildcard SSL certificate could be secured. However, I don't know if aolserver's virtual hosting supports wildcard certificates. I do know that Pound can. If aolserver doesn't support wildcard certificates with virtual hosting you could place pound in front of aolserver to handle the SSL connections on behalf of aolserver.
For example, would this work...?
1. Pound (or another proxy) handles https handshake for :
- www.mydomain1.com on external IP 184.108.40.206
- www.mydomain2.com on external IP 220.127.116.11
2. Internal DNS set up with both domains pointing to same IP:
- www.mydomain1.com on internal IP 192.168.0.1
- www.mydomain2.com on internal IP 192.168.0.1
3. AOLserver instance running www.mydomain1.com on 192.168.0.1
4. OpenACS configured to use host-node-map to map:
- www.mydomain2.com to www.mydomain1.com/mysubsite2/
5. Pound communicates with AOLsever using HTTP, not HTTPS,
but Pound can tell OpenACS if the external connection is
secure so OpenACS can enforce the require SSL on
registration/log in (probably with a little modification to
the OpenACS code)
I deleted my earlier post as I had misread your message.
Yes you can do this with Pound:
1. One Pound instance (p1) handles requests for www.mydomain1.com another (p2) for www.mydomain2.com. They handle both HTTP and HTTPS connections.
2. Both Pound instances proxy the same internal aolserver. All external requests are forwarded to aolserver as HTTP requests. Aolserver uses the header in the request to map the request to the appropriate sub-site.
3. Pound includes 'X-SSL-Request: true' to HTTPS requests forwarded to aolserver. Aolserver uses this information to detect HTTPS connections. I can provide modifications to the request processor to make this transparent to OpenACS.
There is no need to setup an internal DNS.
That would be great. Please let me know when you post the code. Thanks.