Forum OpenACS Q&A: How to use/configure Host Node Map

Collapse
1: How to use/configure Host Node Map
Posted by Torben Brosten on 09/08/09 12:31 AM
Hello,

Where can I learn about host node mapping and how to use it?

Host node mapping appears to be a much more optimal way of configuring multiple websites on a single IP than using a reverse proxy, since the single aolserver instance shares the db pool for multiple websites etc.

This is all I find:

https://openacs.org/doc/subsites-design.html

Collapse
2: Re: How to use/configure Host Node Map (response to 1)
Posted by Dave Bauer on 09/08/09 01:01 AM
Well, it is a little tricky.

If you really want distinct sites, you can't do things like

1) mount notiifcations in the subsite
2) have the same email in more than one subsite

and other things I can't think of.

One other issue is force_host_p which should be modified for a list of canonical hosts for each mapping (or host not map should support it directly.

Otherwise it is simple to setup just go to admin/ for the Main subsite and click Host Node Map and fill out the form. You can actually map to any site node, but you really need a subsite so people can login etc.

I think this is an area where we should work through the issues and fix them.

Collapse
3: Re: How to use/configure Host Node Map (response to 1)
Posted by Torben Brosten on 09/08/09 12:47 PM
Yes. Serving multiple sites like this seems a really great way to optimize resources.

I just setup cvs head and 4 host nodes. Am going to see what I can do to make Host Node Mapping an easier choice.

Are there existing procs for dealing with base reference changes between nodes and mainsite, for example mainsite/resources/example.css vs. mainsite/subsite-node/resources/example.css ?

Collapse
4: Re: How to use/configure Host Node Map (response to 1)
Posted by Torben Brosten on 11/27/09 07:30 AM
Added site_node::conn_url which provides output like ns_conn url, but adjusts depending on if connection is via main domain or a site host_node.

Also added parameter UseHostnameDomainforReg to acs-tcl for easier management of host_node mapped domains that share the main domain's HTTPS connection for secure sessions and login. Revised ad_get_login_url accordingly. Default behavior is unchanged.

Still need a way to transfer session state between host_nodes (since the user account is shared between them). Any suggestions?

Collapse
5: Re: How to use/configure Host Node Map (response to 1)
Posted by Torben Brosten on 11/27/09 08:05 AM
This thread seems somewhat related: https://openacs.org/forums/message-view?message_id=2910725 but I'm not sure

I see that there really needs to be two parameters like Force_Host_p:

1. Force_Host_p (scope: Server-wide). On user registration, forces all SSL and logged-in connections to the host's main domain (as it is does now).

2. Force_Node_p (scope: each site-node or main-site). Forces www.site-node-mapped-domain and site-node-mapped-domain to use one or the other consistently for session continuity with cookies (not implemented).

Does this make sense, or does Ded's code from the referenced thread automatically fix behavior to be consistent with Force_Node_p ?

Collapse
6: Re: How to use/configure Host Node Map (response to 5)
Posted by Richard Hamilton on 11/27/09 01:45 PM
Torben,

I have used virtual hosting a lot and over the years have read most of what there is to read about the options.

Leaving aside the outdated stuff, as you probably know Aolserver4.x has the ability to run multiple virtual host sites from a single config.tcl file. This represents a convenient method of keeping all servers within the master Aolserver process and conserves resources.

Advantages are that you can open pools to multiple databases which means that you can keep your clients' data separated at the database level. I think you can also implement logging at the server level. One downside is that you cannot bring any one server down independently without shutting down the whole shooting match.

The host-node map offered a means of mapping a subsite to a domain, but if I understand it correctly it relies on the request processor to do the redirecting. This means that all the reverse proxy logic and the security of the implementation is all taking place in the tcl layer. The only thing preventing a user of one subsite being able to see unrelated data from another subsite is the OpenACS code. Whilst this is probably extremely reliable, there is no backstop if you know what I mean.

Also, if the aolserver process hangs up, or is busy, or has maxed-out on requests for some reason, ALL your sites are down rather than just one. You can't re-start just one site without bringing everything down. If you suffer some data corruption it affects all sites. If you want to implement https listeners for every subsite, you'll have to hack the openssl code in OpenACS because at the moment it doesn't support multiple listeners as per the nsopenssl spec.

http://www.rubick.com/openacs/easy_virtual_hosting

I have had a look for some of the docs I have read in the past, and many of them have vanished!

Personally, I use Pound reverse proxying to seperate Aolserver processes to keep everything seperate for security reasons (every process runs under a different os user account and os permissions protect each server from the others). For a load of small static sites, or otherwise where security is not an issue, the built in host-node map should come in handy. I confess that the last time I tried it was in OpenACS 4.6.3 and it didn't work properly! :-|

I don't know if any of this is helpful but I thought I'd post anyway.

Regards
Richard

Collapse
7: Re: How to use/configure Host Node Map (response to 1)
Posted by Torben Brosten on 11/27/09 09:00 PM
Thank you, Richard. I agree.

Both virtual hosting and host node mapping are important tools in optimizing the greening of operations using OpenACS (which is green to begin with) in that they conserve resources.

Running a reverse proxy in front of a bunch of aolserver instances has worked well for us over the years, but tends to use a little more RAM than other systems. Better performance is to be expected at the cost of more RAM when RAM/storage/processing usage are tracked. Still, we think virtual hosting and host node mapping will provide a way to get the improved performance of OpenACS without any significant offset, ie measurable cost savings.

The separate databases and shared database pools of virtual hosting is optimal for small sites with multiple clients.

Host node mapping seems to be an optimal alternate for sites operated by a single organization that wants to consolidate resources further, and offer a single user account shared between sites.

I want to help make virtual hosting a configuration option of Openacs, once host node mapping is tamed.

cheers,

Torben

Collapse
8: Re: How to use/configure Host Node Map (response to 1)
Posted by Dave Bauer on 11/27/09 09:09 PM
Host node mapping is great when you want to share logins and passwords.

We developed a local hack to log you into multiple host node mapped sites with one login.

It basically uses a server side secret to redirect to the login page of the other subsite(s) when you login to one, to get multiple login cookies.

Collapse
9: Re: How to use/configure Host Node Map (response to 8)
Posted by Torben Brosten on 11/27/09 09:40 PM
Hey Dave, that's great! I think it is a critical piece to host node mapping services. Can you share it, if not publish, then email to me?
Collapse
10: Re: How to use/configure Host Node Map (response to 9)
Posted by Dave Bauer on 11/27/09 09:49 PM 
# packages/acs-subsite/www/register/hash-login.tcl      
# This allows logging a user into multiple host node mapped subsites using the auth token from a current login on one of the other host node mapped subsites                        
# TODO make sure the host is a valid host node mapped URL

ad_page_contract {

    auto-login using user_id, hash, time and token_id

    @author Deds Castillo
    @creation-date 2009-08-26
} {
    {user_id:optional,trim ""}
    {time:optional,trim ""}
    {hash:optional,trim ""}
    {return_url "/"}
    {host ""}
} -properties {
} -validate {
} -errors {
}

if { $user_id ne "" && \
         $time ne "" && \
         $hash ne "" } {

    set token [sec_get_user_auth_token $user_id]
    set computed_hash [ns_sha1 "$user_id$time$token"]

    set expiration_time 30
    if { [string compare $hash $computed_hash] != 0 || \
             $time < [ns_time] - $expiration_time } {
        # expired or wrong credentials                                          
    } else {
        ad_user_login $user_id
    }
}

if { [string match "http*" $return_url] } {
    set next_url $return_url
} else {
    set next_url "${host}${return_url}"
}

ad_returnredirect $next_url
Collapse
11: Re: How to use/configure Host Node Map (response to 9)
Posted by Dave Bauer on 11/27/09 09:52 PM
One way to support multiple unassociated hosts in one database is to support multiple local acs-authentication authorities and to key the unique username/email constraint on the authority_id.

This way you could have completely seperate logins per host mapped subsite. As far as I know noone has implemented this yet.

Collapse
12: Re: How to use/configure Host Node Map (response to 10)
Posted by Torben Brosten on 11/27/09 10:58 PM
Dave, How is this called?
Collapse
13: Re: How to use/configure Host Node Map (response to 1)
Posted by Dave Bauer on 11/28/09 12:28 AM
In your login script you'd have a switch or whatever to figure out which host is the current one, and redirect to the other one.

Something like

set time [ns_time]
set token [sec_get_user_auth_token $user_id]
set hash [ns_sha1 "$user_id$time$token"]
set host "thishost.com"
ad_returnredirect -allow_full_url [export_vars -base "http://otherhost.com"; {return_url user_id time hash host}]