[ic] Inet mode and SSL...

[Brian Kosick]

Art wrote:

>Obviously I'm not understanding the interaction, that's why I pinged the
>list.
>I'm afraid I need a little hand holding here.
>
>CGI_URL: /catalog
>SAMPLEURL: http://cart.domain.com:7786/catalog
>SECURE_SERVER: https//acs.alpentech.net:7786
>SERVER_NAME: cart.domain.com
>
>I have cart.domain.com setup to have Interchange respond to port 7786,
>http://cart.domain.com:7786
>
>All of this used to work in unix mode, so that it was:
>http://cart.domain.com/cgi-bin/catalog
>and
>https://cart.domain.com/cgi-bin/catalog (for SECURE_SERVER setting).
>The old server setup was a very different apache setup.
>The new server, is running SUEXEC because of other servers it supports
>(postnuke and others) requiring that, and apparently (from list
>searches) Interchange can't work properly in unix sockets mode if Apache
>has SUEXEC running, correct?
>So, I've been trying to make it work in INET mode.
>finally managed to get it working without ssl just fine, just changing
>settings on the interchange side, didn't touch apache's httpd.conf at
>all.
>
>I can easily get ssl to work on the apache side with the following:
>httpd.conf (relevant? section):
>##
>## SSL Virtual Host Context
>##
><VirtualHost cart.domain.com:7443>
>SSLEngine on
>SSLCertificateFile /var/lib/interchange/catalog/ssl/cartdomain.crt
>SSLCertificateKeyFile /var/lib/interchange/catalog/ssl/cartdomain.key
><Files ~ "\.(cgi|shtml|phtml|php3?)$">
>    SSLOptions +StdEnvVars
></Files>
><Directory "/var/www/cgi-bin">
>    SSLOptions +StdEnvVars
></Directory>
></VirtualHost>
>
>This works fine for apache to serve up secure pages that have nothing to
>do with interchange, it'll work on 443 or any other port I want if I
>change it to that, or as I did here, on 7443. 
>But I don't see how this does any good for interchange, since apache
>will just end up intercepting all requests to that port since it's
>listening there, and it doesn't seem to hand anything over to
>interchange now that I'm in INET mode.
>
>But, just trying to figure things out, I went through the following
>futile exercises...
>
>So, then I setup the SECURE_SERVER variable to be:
>https://cart.domain.com:7443
>Then refresh the cart page, and the links to Login (and such) show the
>change.
>I click the Login link, and eventually get a server timeout error:
>An error occured while loading
>https://cart.domain:7443/catalog/login.html?id=5FRjPSPx&mv_pc=1:
>
>Timeout on server
>Timed out while waiting to connect to cart.domain.com
>If I change the url to:
>http://cart.domain.com:7443
>
>I tried changing the httpd.conf variable to:
><VirtualHost 10.12.110.10:7786>
>ServerName cart.domain.com
>.....
>Then restarted apache.
>Then changed Interchange SECURE_SERVER variable to
>https://cart.domain.com:7786
>Applied changes.
>Refreshed page, clicked login link:
>https://cart.domain.com:7786/catalog/login.html?id=nygguKit&mv_pc=1
>received error:
>An error occured while loading
>https://cart.domain.com:7786/catalog/login.html?id=nygguKit&mv_pc=1:
>Could not connect to host cart.domain.com (port 7786)
>
>Obviously I am misunderstanding something fundamental here, and need it
>clarified by example.
>
>Ok, setup httpd.conf as follows:
>
><VirtualHost 10.12.110.10:443>
>       ServerName cart.domain.com
>DocumentRoot /www/cart.domain.com/ecomm
>ErrorLog logs/error_log_ssl_cart.domain.com
>SSLEngine on
>SSLCertificateFile /var/lib/interchage/domain/ssl/cart.domain.com.crt
>SSLCertificateKeyFile
>/var/lib/interchange/domain/ssl/cart.domain.com.key
>####SSLCACertificateFile
>/var/lib/interchange/domain/ssl/cart.domain.com.crt
>
><Files ~ "\.(cgi|shtml|phtml|php3?)$">
>    SSLOptions +StdEnvVars
></Files>
><Directory "/var/www/cgi-bin">
>    SSLOptions +StdEnvVars
></Directory>
></VirtualHost>
>
>
>pointed browser to:
>https://cart.domain.com
>Test (index.html) page showed up correctly served up by Apache.
>tried connecting to:
>https://cart.domain.com:7786
>An error occured while loading https://cart.domain.com:7786:
>Could not connect to host cart.domain.com (port 7786)
>
>Makes sense since interchange isn't serving up the https/ssl protocol
>right?
>Point browser to:
>http://cart.domain.com:7786/catalog/
>Interchange catalog appears ok (no ssl).
>Changed SECURE_SERVER to https://cart.domain.com
>Applied changes.
>Refreshed page so login link reflects the change.
>Link is now:
>https://cart.domain.com/catalog/login.html?id=4Ft8pZkv&mv_pc=1
>Not Found The requested URL /catalog/login.html was not found on this
>server.
>Apache/1.3.22 Server at cart.domain.com Port 443
>Again, it's the Apache server responded not Interchange
>
>Ok, now trying by removing the document root and servername from
>httpd.conf...
>restart apache.
>refresh page:
>https://cart.domain.com/catalog/login.html?id=4Ft8pZkv&mv_pc=1
>Not Found The requested URL /catalog/login.html was not found on this
>server.
>Apache/1.3.22 Server at 10.12.110.10 Port 443
>Still no go, now it is just responding with the default servername
>instead of the virtual server name, but it's still Apache responding,
>not Interchange, I guess I'm expecting some sort of nsapi like handoff
>or some such, and I guess it doesn't work that way with Interchange.
>Fine, again I ask, how do I make Interchange serve up SSL?
>Isn't there an Interchange piece somewhere that does what the above
>httpd.conf VirtualHost directive does for Apache, but is instead for
>Interchange?
>
>Or do I need to change the Apache DocumentRoot to point to the 
>No, that shouldn't work because it's apache, still not interchange, it
>won't know how to handle such things correctly will it?
>
>Apache just keeps intercepting requests, not handing it off to
>interchange if I do anything on the apache side (which is what I
>expect).
>What I can't seem to find is a section in interchange.cfg or catalog.cfg
>to setup ssl response.
>How do I make Interchange listen as https server?
>I hate acting like a dolt, but I'm stumped.
>Please help out,
>Thanks,
>-Art
>
>
>
>
>
>
>
>On Fri, 2002-11-15 at 04:25, Mike Heins wrote:
>  
>
>>Quoting Jeff Dafoe (jeff@badtz-maru.com):
>>    
>>
>>>>SSL works for Apache fine.
>>>>But how do I get it to work for Interchange?
>>>>Having it try to connect to port 443, 7443, changing around the
>>>>httpd.conf SSL setting to listen to those for ssl connections (the
>>>>apache server responds securely just fine, it just isn't interchange
>>>>alas).
>>>>        
>>>>
>>>    Interchange doesn't do anything special for SSL aside from outputting
>>>links that have https instead of http in front of them.  The browser talks
>>>to apache, either via ssl or non-ssl, and apache talks to interchange,
>>>always on the same port, always via the same method.  Thus, I am confused by
>>>the cart.domain.com:7786 part since interchange typically doesn't
>>>communicate with the browser.
>>>      
>>>
>>Actually, it does have an internal HTTP server that would work with that
>>URL without even having an Apache. But that would never support SSL.
>>
>>    
>>
>>>    If you have a configuration section in your apache configuration that is
>>>properly configured for interchange, then you can basically copy that block
>>>and add the appropriate SSL directives to it for the SSL configuration.
>>>    This is entirely a web server issue, though.  I think you may have a
>>>misunderstanding as to how interchange communicates with the browser.
>>>      
>>>
>>This is very true.
>>
>>-- 
>>Mike Heins
>>Perusion -- Expert Interchange Consulting    http://www.perusion.com/
>>phone +1.513.523.7621      <mike@perusion.com>
>>
>>Any man who is under 30, and is not liberal, has not heart; and any man
>>who is over 30, and is not a conservative, has not brains.
>> -- Winston Churchill
>>_______________________________________________
>>interchange-users mailing list
>>interchange-users@icdevgroup.org
>>http://www.icdevgroup.org/mailman/listinfo/interchange-users
>>
>>    
>>
>
>
>
>_______________________________________________
>interchange-users mailing list
>interchange-users@icdevgroup.org
>http://www.icdevgroup.org/mailman/listinfo/interchange-users
>  
>
Personally, if you have access to the httpd.conf file,  switch over to 
mod_interchange and rid youself of the headaches.