Forum OpenACS Q&A: Re: OpenSSL, Host-Node Map and Subsites

Collapse
Posted by James Thornton on
Ok, so if you must use a proxy, couldn't the proxy also enable you to use SSL with subsites that use separate, disparate domains, such as www.mydomain1.com and www.mydomain2.com (i.e. when a wildcard cert isn't an option)?

For example, would this work...?

1. Pound (or another proxy) handles https handshake for :
  - www.mydomain1.com on external IP 1.2.3.4
  - www.mydomain2.com on external IP 1.2.3.5
2. Internal DNS set up with both domains pointing to same IP:
  - www.mydomain1.com on internal IP 192.168.0.1
  - www.mydomain2.com on internal IP 192.168.0.1
3. AOLserver instance running www.mydomain1.com on 192.168.0.1
4. OpenACS configured to use host-node-map to map:
  - www.mydomain2.com to www.mydomain1.com/mysubsite2/
5. Pound communicates with AOLsever using HTTP, not HTTPS,
  but Pound can tell OpenACS if the external connection is
  secure so OpenACS can enforce the require SSL on
  registration/log in (probably with a little modification to
  the OpenACS code)

Collapse
Posted by Bart Teeuwisse on
James,

I deleted my earlier post as I had misread your message.

Yes you can do this with Pound:

1. One Pound instance (p1) handles requests for www.mydomain1.com another (p2) for www.mydomain2.com. They handle both HTTP and HTTPS connections.

2. Both Pound instances proxy the same internal aolserver. All external requests are forwarded to aolserver as HTTP requests. Aolserver uses the header in the request to map the request to the appropriate sub-site.

3. Pound includes 'X-SSL-Request: true' to HTTPS requests forwarded to aolserver. Aolserver uses this information to detect HTTPS connections. I can provide modifications to the request processor to make this transparent to OpenACS.

There is no need to setup an internal DNS.

/Bart

Collapse
Posted by James Thornton on
I can provide modifications to the request processor to make this transparent to OpenACS.

That would be great. Please let me know when you post the code. Thanks.