You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lenya.apache.org by Michael Wechner <mi...@wyona.com> on 2007/05/08 23:11:46 UTC

SSL and proxy [WAS: Re: [FREEZE-ANNOUNCEMENT] 1.4 Release Candidate 1, Attempt 2]

Joern Nettingsmeier wrote:

> Richard Frovarp wrote:
>
>> Andreas Hartmann wrote:
>>
>>> Joern Nettingsmeier schrieb:
>>>
>>> [...]
>>>
>>>  
>>>
>>>> i think this is a really fundamental issue with lenya, and fixing it
>>>> requires very intrusive changes (see my other post)... the way i 
>>>> see it,
>>>> we should do something half-assed and non-intrusive for the RC and aim
>>>> for a clean solution by the time of the hackathon.
>>>>     
>>>
>>>
>>> OK, that sounds reasonable. What changes are necessary to make it
>>> (kind-of) work for the moment? Do you have the time to take care
>>> of it? I don't have a proxied setup running ATM.
>>>
>>> -- Andreas
>>>
>>>
>>>   
>>
>> It does kind of work at the moment. The only caveat is if you have 
>> the editing under SSL you have to base it at the root level
>>
>> https://example.com/default/authoring
>
>
> which is a bummer, because, as remarked in another thread, you cannot 
> use name-based virtual hosting together with ssl.


I am not sure I understand correctly what you mean.

I think one can setup a name based vhost for 80 and another name based 
vhost for 443 (with the same name but different port) and then point 
from these two vhosts to the same Tomcat either pointing

80 -> 8080 and 443 -> 8080

or

80 -> 8080 and 443 ->8443

for instance. Or do I misunderstand something?

Cheers

Michael

> which means the lenya deployment will interfere with existing stuff....
>


-- 
Michael Wechner
Wyona      -   Open Source Content Management   -    Apache Lenya
http://www.wyona.com                      http://lenya.apache.org
michael.wechner@wyona.com                        michi@apache.org
+41 44 272 91 61


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org

Re: SSL and proxy [WAS: Re: [FREEZE-ANNOUNCEMENT] 1.4 Release Candidate 1, Attempt 2]

Posted by Joern Nettingsmeier <ne...@folkwang-hochschule.de>.
Michael Wechner wrote:
> Joern Nettingsmeier wrote:
> 
>> Richard Frovarp wrote:
>>
>>> Andreas Hartmann wrote:
>>>
>>>> Joern Nettingsmeier schrieb:
>>>>
>>>> [...]
>>>>
>>>>  
>>>>
>>>>> i think this is a really fundamental issue with lenya, and fixing it
>>>>> requires very intrusive changes (see my other post)... the way i 
>>>>> see it,
>>>>> we should do something half-assed and non-intrusive for the RC and aim
>>>>> for a clean solution by the time of the hackathon.
>>>>>     
>>>>
>>>>
>>>> OK, that sounds reasonable. What changes are necessary to make it
>>>> (kind-of) work for the moment? Do you have the time to take care
>>>> of it? I don't have a proxied setup running ATM.
>>>>
>>>> -- Andreas
>>>>
>>>>
>>>>   
>>>
>>> It does kind of work at the moment. The only caveat is if you have 
>>> the editing under SSL you have to base it at the root level
>>>
>>> https://example.com/default/authoring
>>
>>
>> which is a bummer, because, as remarked in another thread, you cannot 
>> use name-based virtual hosting together with ssl.
> 
> I am not sure I understand correctly what you mean.
> 
> I think one can setup a name based vhost for 80 and another name based 
> vhost for 443 (with the same name but different port) and then point 
> from these two vhosts to the same Tomcat either pointing
> 
> 80 -> 8080 and 443 -> 8080
> 
> or
> 
> 80 -> 8080 and 443 ->8443
> 
> for instance. Or do I misunderstand something?

consider a web server with multiple name-based virtual webservers.
a few are using lenya. to clean up the urls, an apache proxy is used and 
lenya is configured accordingly. so localhost:8888/client-site1/live 
will become www.foo.com, and localhost:8888/client-site2/live will be 
www.bar.com.

for security reasons, i want authoring to be ssl-protected.
it is not possible to use name-based virtual hosting with ssl. so i can 
only have one ssl vhost, https://www.baz.com.
since it's just authoring, weird urls are not a problem, so the obvious 
approach is to map localhost:8888/client-site1/authoring to 
https://www.baz.com/lenya/client-site1/authoring and so on.

unfortunately, this does not work. proxy support is broken. the 
workaround is to put it into the root context, 
https://www.baz.com/client-site1/authoring, which works because most 
links are absolute but omit the protocol and host.

problem is that this interferes with the ssl root namespace - people may 
be doing a lot of other stuff on their ssl host, and hogging the root 
may not be an option...




-- 
jörn nettingsmeier

home://germany/45128 essen/lortzingstr. 11/
http://spunk.dnsalias.org
phone://+49/201/491621

Kurt is up in Heaven now.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org