[ic] Inet mode and SSL...

Art interchange-users@icdevgroup.org
Fri Nov 15 15:09:00 2002 

Obviously I'm not understanding the interaction, that's why I pinged the
list.
I'm afraid I need a little hand holding here.

CGI_URL: /catalog
SAMPLEURL: http://cart.domain.com:7786/catalog
SECURE_SERVER: https//acs.alpentech.net:7786
SERVER_NAME: cart.domain.com

I have cart.domain.com setup to have Interchange respond to port 7786,
http://cart.domain.com:7786

All of this used to work in unix mode, so that it was:
http://cart.domain.com/cgi-bin/catalog
and
https://cart.domain.com/cgi-bin/catalog (for SECURE_SERVER setting).
The old server setup was a very different apache setup.
The new server, is running SUEXEC because of other servers it supports
(postnuke and others) requiring that, and apparently (from list
searches) Interchange can't work properly in unix sockets mode if Apache
has SUEXEC running, correct?
So, I've been trying to make it work in INET mode.
finally managed to get it working without ssl just fine, just changing
settings on the interchange side, didn't touch apache's httpd.conf at
all.

I can easily get ssl to work on the apache side with the following:
httpd.conf (relevant? section):
##
## SSL Virtual Host Context
##
<VirtualHost cart.domain.com:7443>
SSLEngine on
SSLCertificateFile /var/lib/interchange/catalog/ssl/cartdomain.crt
SSLCertificateKeyFile /var/lib/interchange/catalog/ssl/cartdomain.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
</VirtualHost>

This works fine for apache to serve up secure pages that have nothing to
do with interchange, it'll work on 443 or any other port I want if I
change it to that, or as I did here, on 7443. 
But I don't see how this does any good for interchange, since apache
will just end up intercepting all requests to that port since it's
listening there, and it doesn't seem to hand anything over to
interchange now that I'm in INET mode.

But, just trying to figure things out, I went through the following
futile exercises...

So, then I setup the SECURE_SERVER variable to be:
https://cart.domain.com:7443
Then refresh the cart page, and the links to Login (and such) show the
change.
I click the Login link, and eventually get a server timeout error:
An error occured while loading
https://cart.domain:7443/catalog/login.html?id=5FRjPSPx&mv_pc=1:

Timeout on server
Timed out while waiting to connect to cart.domain.com
If I change the url to:
http://cart.domain.com:7443

I tried changing the httpd.conf variable to:
<VirtualHost 10.12.110.10:7786>
ServerName cart.domain.com
.....
Then restarted apache.
Then changed Interchange SECURE_SERVER variable to
https://cart.domain.com:7786
Applied changes.
Refreshed page, clicked login link:
https://cart.domain.com:7786/catalog/login.html?id=nygguKit&mv_pc=1
received error:
An error occured while loading
https://cart.domain.com:7786/catalog/login.html?id=nygguKit&mv_pc=1:
Could not connect to host cart.domain.com (port 7786)

Obviously I am misunderstanding something fundamental here, and need it
clarified by example.

Ok, setup httpd.conf as follows:

<VirtualHost 10.12.110.10:443>
       ServerName cart.domain.com
DocumentRoot /www/cart.domain.com/ecomm
ErrorLog logs/error_log_ssl_cart.domain.com
SSLEngine on
SSLCertificateFile /var/lib/interchage/domain/ssl/cart.domain.com.crt
SSLCertificateKeyFile
/var/lib/interchange/domain/ssl/cart.domain.com.key
####SSLCACertificateFile
/var/lib/interchange/domain/ssl/cart.domain.com.crt

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
</VirtualHost>


pointed browser to:
https://cart.domain.com
Test (index.html) page showed up correctly served up by Apache.
tried connecting to:
https://cart.domain.com:7786
An error occured while loading https://cart.domain.com:7786:
Could not connect to host cart.domain.com (port 7786)

Makes sense since interchange isn't serving up the https/ssl protocol
right?
Point browser to:
http://cart.domain.com:7786/catalog/
Interchange catalog appears ok (no ssl).
Changed SECURE_SERVER to https://cart.domain.com
Applied changes.
Refreshed page so login link reflects the change.
Link is now:
https://cart.domain.com/catalog/login.html?id=4Ft8pZkv&mv_pc=1
Not Found The requested URL /catalog/login.html was not found on this
server.
Apache/1.3.22 Server at cart.domain.com Port 443
Again, it's the Apache server responded not Interchange

Ok, now trying by removing the document root and servername from
httpd.conf...
restart apache.
refresh page:
https://cart.domain.com/catalog/login.html?id=4Ft8pZkv&mv_pc=1
Not Found The requested URL /catalog/login.html was not found on this
server.
Apache/1.3.22 Server at 10.12.110.10 Port 443
Still no go, now it is just responding with the default servername
instead of the virtual server name, but it's still Apache responding,
not Interchange, I guess I'm expecting some sort of nsapi like handoff
or some such, and I guess it doesn't work that way with Interchange.
Fine, again I ask, how do I make Interchange serve up SSL?
Isn't there an Interchange piece somewhere that does what the above
httpd.conf VirtualHost directive does for Apache, but is instead for
Interchange?

Or do I need to change the Apache DocumentRoot to point to the 
No, that shouldn't work because it's apache, still not interchange, it
won't know how to handle such things correctly will it?

Apache just keeps intercepting requests, not handing it off to
interchange if I do anything on the apache side (which is what I
expect).
What I can't seem to find is a section in interchange.cfg or catalog.cfg
to setup ssl response.
How do I make Interchange listen as https server?
I hate acting like a dolt, but I'm stumped.
Please help out,
Thanks,
-Art







On Fri, 2002-11-15 at 04:25, Mike Heins wrote:
> Quoting Jeff Dafoe (jeff@badtz-maru.com):
> > > SSL works for Apache fine.
> > > But how do I get it to work for Interchange?
> > > Having it try to connect to port 443, 7443, changing around the
> > > httpd.conf SSL setting to listen to those for ssl connections (the
> > > apache server responds securely just fine, it just isn't interchange
> > > alas).
> > 
> >     Interchange doesn't do anything special for SSL aside from outputting
> > links that have https instead of http in front of them.  The browser talks
> > to apache, either via ssl or non-ssl, and apache talks to interchange,
> > always on the same port, always via the same method.  Thus, I am confused by
> > the cart.domain.com:7786 part since interchange typically doesn't
> > communicate with the browser.
> 
> Actually, it does have an internal HTTP server that would work with that
> URL without even having an Apache. But that would never support SSL.
> 
> >     If you have a configuration section in your apache configuration that is
> > properly configured for interchange, then you can basically copy that block
> > and add the appropriate SSL directives to it for the SSL configuration.
> >     This is entirely a web server issue, though.  I think you may have a
> > misunderstanding as to how interchange communicates with the browser.
> 
> This is very true.
> 
> -- 
> Mike Heins
> Perusion -- Expert Interchange Consulting    http://www.perusion.com/
> phone +1.513.523.7621      <mike@perusion.com>
> 
> Any man who is under 30, and is not liberal, has not heart; and any man
> who is over 30, and is not a conservative, has not brains.
>  -- Winston Churchill
> _______________________________________________
> interchange-users mailing list
> interchange-users@icdevgroup.org
> http://www.icdevgroup.org/mailman/listinfo/interchange-users
>