Forum OpenACS Q&A: Re: Nsopenssl with virtual hosting

Collapse
Posted by C. R. Oldham on
Angel,

If you are trying to virtual host multiple domains with a single IP address over https, that's not possible.  Here's a good explanation from the Pound website at http://www.apsis.ch/pound:

---
HTTPS does not allow virtual hosting

This is not a limitation of Pound, but of HTTPS - no Web server or proxy are able to do it due to the nature of the beast.

In order to see why this is the case we need to look at the way HTTPS works. Basically there are three stages in any HTTPS connection:

Connection negotiation - the client (your browser) and the server (Web server or proxy) negotiate the basic parameters: ciphers to use, session key, etc.
Connection authentication: at the very least the server presents the client with a certificate that says "I am server www.encrypted.com - and certificate.authority.org will verify that". The client may also present a certificate of its own at this stage.
Request/response cycle: normal HTTP is sent (through the encrypted channel) back and forth.
The vital point to notice here is that connection authentication takes place BEFORE any request was issued.

On the other hand, the way virtual hosting works is for the client to specify in the request to which server it would like to talk. This is accomplished via a Host header:

        GET /index.html HTTP/1.1
        Host: http://www.virthost.com

Combining the two we get to an impasse: on connection setup the server will reply with the certificate for "www.realhost.com", but the request is really for "www.virthost.com" - and most browsers will scream blue murder (as well they should) if the two do not match.
---

Collapse
Posted by Bart Teeuwisse on
Angel,

It is not clear from you answer whether the 3 domains are subdomains of the same main domain or separate main domains. E.g. sub1.domain.com, sub2.domain.com & sub2.domain.com or www.domain1.com, www.domain2.com & www.domain3.com.

The difference is important as Pound can handle HTTPS connections for wildcard SSL certificates (*.domain.com). While C.R. is correct in that HTTPS doesn't allow virtual hosting, Pound can setup the SSL connection w/ the client and forward the request as a HTTP request to the backend server. Pound can only do that for 1 wildcard certificate.

I've made some modifications to OpenACS (not yet committed to CVS) that allow OpenACS to handle the proxied HTTPS requests (which OpenACS receives as HTTP requests w/ an additional HTTP header indicating that Pound received the requests as HTTPS) as if they are secure.

/Bart

Collapse
Posted by Angel Francisco Marcos Alonso on
Three separate domains. www.domain1.com www.domain2.com www.domain3.com
Collapse
Posted by Bart Teeuwisse on
Angel,

as C.R. mentioned that is not possible with HTTPS. Each domain will have to have a direct Internet connection w/o a reverse proxy in between.

This is a restriction imposed by HTTPS and not by AOLServer or OpenACS.

/Bart