Forum OpenACS Q&A: Subsite Registration Redirecting to

I'm trying to configure OpenACS 5.1.1 subsites to work with Pound for SSL connections.

I have modified security::secure_conn_p to check for the X-SSL-Request header, and return true if the header value is set to true (X-SSL-Request is an extra header that I have told Pound to send when it's a secure connection).

But, when using the host-node-map where...

...points to...

...going to...

...redirects to...

(notice that it redirects to https since I have OpenACS configured to restrict registration to SSL).

However, when the host-node-map is not used, going to...

...redirects as it should to...

I am not that familiar with the request processor, but I have been trying to trace through the code to find out where this is happening.

I am hoping someone more familiar with the request processor could enlighten me. I know Bart has worked on this, but he is slammed right now.


I found it -- in security::get_secure_location, you have to change the following line:

set secure_location [ad_conn location]

set secure_location $current_location

Now I just have to figure out why going to returns nothing.

Ok, I think I have found all the required modifications to make subsites play nicely with a Pound proxy handling the SSL connections. I wrote up them up here and included a sample Pound configuration file:

Thanks for sharing this, James. I have a similar situation (not using pound, though) and the modification to get_secure_location helped. Have you given any consideration as to whether your change or some variation could make it into the toolkit so sites don't have to modify core code to support this use case? Also, I'm curious if you been able to restrict the entire host-node mapped subsite to SSL. I haven't had any luck doing that to this point. I've tried several syntax variations in the subsite's RestrictToSSL parameter to no avail.
Michael, what method are you using since you aren't using Pound? -- are you using another external proxy? It wouldn't be hard to add this to the toolkit so that you could enable it via a package param, and it would be proxy-independent, as long as you can configure the proxy to pass in a custom header for secure connections -- all we would need is a standard header and value, such as X-SSL-Request: 1. I have not tried to restrict the entire host-node-mapped subsite to SSL so I have not seen that problem.