Forum OpenACS Q&A: OpenACS with virtual hosting

Works OpenACS with virtual hosting in AOLServer 4?
Collapse
Posted by Bart Teeuwisse on
I recommend using Pound (http://www.apsis.ch/pound/) instead.

/Bart

Collapse
Posted by Dion Sweat on
From http://www.apsis.ch/pound/

<snip>

VIRTUAL HOSTS (IN GENERAL)

Some people asked about the possibility of redirecting requests to back-ends as per some virtual hosts definition. While I believe this is not Pound's job, it can be done. As of version 0.10, Pound supports filtering requests based not only on the request URL, but also on the presence or absence of certain headers.

Let's assume that you have internal server 192.168.0.10 that is supposed to serve the needs of virtual host www.server0.com and 192.168.0.11 that serves www.server1.com. You want Pound to listen on address 1.2.3.4 and separate the requests to each host. The config file would look something like this:

        ListenHTTP  1.2.3.4,80

        UrlGroup    ".*"
        HeadRequire Host    ".*www.server0.com.*"
        BackEnd    192.168.0.10
        EndGroup

        UrlGroup    ".*"
        HeadRequire Host    ".*www.server1.com.*"
        BackEnd    192.168.0.11
        EndGroup

(add whatever else is necessary) or, if you want even safer filtering:

        ListenHTTP  1.2.3.4,80

        UrlGroup    ".*"
        HeadRequire Host    ".*www.server0.com.*"
        HeadDeny    Host    ".*www.server1.com.*"
        BackEnd    192.168.0.10
        EndGroup

        UrlGroup    ".*"
        HeadRequire Host    ".*www.server1.com.*"
        HeadDeny    Host    ".*www.server0.com.*"
        BackEnd    192.168.0.11
        EndGroup

This is NOT recommended (I personally believe that virtual hosts should be implemented in the back-end servers - putting this in a proxy is a major security kludge) but it works.

</snip>

Sounds like the author doesn't think it's a good idea?...

Collapse
Posted by Angel Francisco Marcos Alonso on
Any way to do it without pound?
Collapse
Posted by C. R. Oldham on
You can also configure a virtual hosting setup using AOLserver 4 and the nsvhr module, but again that means running separate AOLserver instances for each virtual host, as opposed to running all virtual hosts within one AOLserver instance.

Fairly accurate documentation is here:

http://borkware.com/rants/aolserver-vhosting/

One big advantage to the multiple server method is that you can hit your individual servers directly.  This is a big help when troubleshooting.

Collapse
Posted by C. R. Oldham on
Setting my reply above aside, however, I installed and configured Pound for my little 2-virtual host setup last night in about 30 minutes.  And that included backporting the Pound 1.5 package from Debian Unstable to the stable release and upgrading it to Pound 1.6.  It works very well so far.

Caveat: my hosts don't get a lot of traffic.

Note that in AOLserver 4.0, the nslog module already knows to look for the X-Forwarded-For: header, so you don't need to play tricks with the logs anymore.  The IP address of the client is in the correct place in the access.log file now.

Collapse
Posted by Bart Teeuwisse on
Last I tried the patch mentioned at http://borkware.com/rants/aolserver-vhosting/ it didn't work for AOLServer 4.x. The code of 4.x has been overhauled and it appears that the patch doesn't apply to 4.x at all.

Regarding the cautionary note of the author of Pound, I would say that there as many opinions as people. The security risk is minimal and in the case of AOLServer the backend support for virtual hosting is rather minimal. Using Pound for virtual hosting isn't any riskier than say using Squid or any other reverse proxy.

I've done some extensive research into virtual hosting w/ AOLServer and OpenACS. There are other options -like Squid, or AOLServer + nsvhr (but w/o X-Forwarded-For headers)- but I came to the conclusion that Pound is by far the best solution.

/Bart

Collapse
Posted by Mark Bucciarelli on
Hi Bart,

A couple questions ...

I just finished reading through the Pound mailing list thread you initiated this past February.  From that thread resolution (hard work!), it looks like the latest and greatest Pound will work with AOL Server.  What version of Pound are you using on your production server(s)?

As far as I can see, the only additional security risk of using a reverse proxy is that you are adding another layer, and that layer (the reverse proxy) may have some kind of exploit.  This risk looks minimal with Pound.  Did you have any other risks in mind when you wrote the parent post?

Finally, can you provide any data points on RAM vs. # of AOLServer Instances?  I have a box with 512MB of RAM that I will be using for virtual hosting and I am considering using AOLServer and OpenACS.  (Catherine Meeks gave me a brief overview at a conference this weekend, and I'm pretty excited by the possibilities ...)

Mark

Collapse
Posted by Bart Teeuwisse on
Mark,

that's right another layer that could be exploited. I'm running production w/ the previous Pound 1.6 current (no longer available from Apsis as it has been replaced w/ a newer version). I haven't tried this new version.

I can't give you hard data points but as a comparison I'm running 3 AOLserver instances on a single processor w/ 640 Mb quite comfortably. Mind you all these sites are small sites. The Code Mill (http://www.thecodemill.biz) gets the most hists. Nothing to write home about though.

Maybe that others who provide virtual hosting can give more detailed information.

/Bart

Collapse
Posted by Richard Hamilton on
Bart,

I saw in another thread your comment that Pound doesn't handle HTML streaming very well. I am not sure what you mean by HTML streaming - do you mean as in the old fashioned apm install pages where the postgres standard output was piped to the browser?

If so, is this still an issue or has it been fixed in Pound?

I am just trying to decide how to replace my VERY reliable ad33.13 nsunix based reverse proxy set-up so that I can run OpenACS 5.2 and later on Aolserver v4.

Regards
Richard

Collapse
Posted by Bart Teeuwisse on
Richard,

Pound supports streaming HTML from version 1.7 on. Pound + AOLserver 4.x + nsopenssl 3.x has been proven to be very stable as well.

/Bart

Collapse
Posted by Richard Hamilton on
Thanks Bart.

I have been trying to work out the best way to go about this because I really don't want all my openacs services being run by the same user (because then all the db passwords are visible to a single user in the config.tcl files if aolserver is compromised).

My only remaining concern is the fact the the Pound developers refer to reverse proxying multiple domains as a 'security kludge':

"This is NOT recommended (I personally believe that virtual hosts should be implemented in the back-end servers - putting this in a proxy is a major security kludge) but it works."

Why? What do they mean? Full extract below.

Quoted from http://www.apsis.ch/pound/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
VIRTUAL HOSTS (IN GENERAL)
Some people asked about the possibility of redirecting requests to back-ends as per some virtual hosts definition. While I believe this is not Pound's job, it can be done. As of version 0.10, Pound supports filtering requests based not only on the request URL, but also on the presence or absence of certain headers.

Let's assume that you have internal server 192.168.0.10 that is supposed to serve the needs of virtual host www.server0.com and 192.168.0.11 that serves www.server1.com. You want Pound to listen on address 1.2.3.4 and separate the requests to each host. The config file would look something like this:

        ListenHTTP  1.2.3.4,80

        UrlGroup    ".*"
        HeadRequire Host    ".*www.server0.com.*"
        BackEnd    192.168.0.10
        EndGroup

        UrlGroup    ".*"
        HeadRequire Host    ".*www.server1.com.*"
        BackEnd    192.168.0.11
        EndGroup

(add whatever else is necessary) or, if you want even safer filtering:

        ListenHTTP  1.2.3.4,80

        UrlGroup    ".*"
        HeadRequire Host    ".*www.server0.com.*"
        HeadDeny    Host    ".*www.server1.com.*"
        BackEnd    192.168.0.10
        EndGroup

        UrlGroup    ".*"
        HeadRequire Host    ".*www.server1.com.*"
        HeadDeny    Host    ".*www.server0.com.*"
        BackEnd    192.168.0.11
        EndGroup

This is NOT recommended (I personally believe that virtual hosts should be implemented in the back-end servers - putting this in a proxy is a major security kludge) but it works.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Collapse
Posted by Richard Hamilton on
Sorry, I wouldn't have posted the whole thing again if I'd realised that it was already on this thread!

However, I would still be very grateful for an answer if anyone knows because it wasn't actually answered above.

Failing that I will email the developers and see if they will shed some light on their opinions.

Regards
Richard

Collapse
Posted by Richard Hamilton on
Sorry again - Bart answered later in the thread!

Does anyone know exactly what security concerns the Pound authors had?

Collapse
Posted by Mark Aufflick on
Just another datapoint for you. I proxy to multiple openacs instances with the Apache reverse proxy module.

The choice was mostly from convenience - the server was already a hosting server runnning Apache 2.0 with virtual servers, so i just had to add the appropriate config entries and Bob was my Uncle.

These sites only see a moderate amount of traffic. The server also hosts another openacs instance directly on it's own IP with ssl (I don't believe tthere is a way to reverse proxy ssl without kludges, although I seem to remember pound can?), a number of apache virtual hosts and a number of email domains.

It's actually a vmware virtual machine sharing a compaq server with another virtual machine. This particular virtual machine has 1006 Mb Ram, a gig of swap (again on virtualized hard disk on a scsi 5 raid). There are 3 openacs sites, one dotLRN site (which uses more ram) using a variety of aolserver and postgres  versions. It averages about 960 meg ram used and 242 meg swap used.

It hasn't skipped a beat so far, and I love the flexibility of the apache proxy - i can reload the config to add another virtual site without a millisecond of outage to the other sites.

I can also configure a custom html error page to show when the aolserver sites are unreachable during the (long) openacs startup time which is nice.

Collapse
Posted by Andrew Piskorski on
I don't know what the maintainer (Robert Segall, presumably) of the Pound website was smoking when he wrote that "don't do virtual hosting" stuff above, as AFAICT it is nonsense. If you're going to do virtual hosting based on the HTTP "Host:" header, Pound (or one of its competitors) appears to be the ideal place to do that.

Btw, I hear that Pound is excellent, lots of folks here who should know use and are happy with it. Also, a while back they also fixed the "HTML streaming" problem pretty quickly after some folks here or on the AOLserver list (I forget which) raised the issue, which was very pleasant. The fact that one of it's maintainers appears to have a few blinders on when it comes to host based virtual hosting shouldn't do any serious harm...