[hunchentoot-devel] Two questions
Hello, I have two questions. The first is probably a stupid one: is it possible to serve both http and https on the same port? With one Hunchentoot instance? The second one should probably be asked at the mod_lisp mailing list: is it possible to put several Hunchentoot servers behind mod_lisp? Thank you very much, Nicolas
On Thu, 13 Mar 2008 21:06:36 +0100, Nicolas Neuss <neuss@math.uni-karlsruhe.de> wrote:
I have two questions. The first is probably a stupid one: is it possible to serve both http and https on the same port? With one Hunchentoot instance?
No, that's generally not possible. It's not a Hunchentoot limitation. How is the client supposed to know which protocol they should use?
The second one should probably be asked at the mod_lisp mailing list: is it possible to put several Hunchentoot servers behind mod_lisp?
It is possible, the mod_lisp directives can be per virtual server or even per location (see Apache documentation). IIRC you'll find examples for this in the mailing list archive if you dig deep enough. HTH, Edi.
On Thu, 2008-03-13 at 21:31 +0100, Edi Weitz wrote:
On Thu, 13 Mar 2008 21:06:36 +0100, Nicolas Neuss <neuss@math.uni-karlsruhe.de> wrote:
I have two questions. The first is probably a stupid one: is it possible to serve both http and https on the same port? With one Hunchentoot instance?
No, that's generally not possible. It's not a Hunchentoot limitation. How is the client supposed to know which protocol they should use?
Nitpick: theoretically, it may be possible. Client is supposed to know this by URL anyway (http://example.com:42/ vs https://example.com:42/), and server should be able to recognise whether start of client's request is encrypted or not. OTOH I never heard of such functionality, and can't imagine any scenario (maybe except some case of guerilla deployment or firewall piercing) where this could be actually useful. -- -><- Maciej 'japhy' Pasternacki -><- http://www.pasternacki.net/ -><-
Edi Weitz <edi@agharta.de> writes:
On Thu, 13 Mar 2008 21:06:36 +0100, Nicolas Neuss <neuss@math.uni-karlsruhe.de> wrote:
I have two questions. The first is probably a stupid one: is it possible to serve both http and https on the same port? With one Hunchentoot instance?
No, that's generally not possible. It's not a Hunchentoot limitation. How is the client supposed to know which protocol they should use?
OK, I had suspected that. Thank you for the information.
The second one should probably be asked at the mod_lisp mailing list: is it possible to put several Hunchentoot servers behind mod_lisp?
It is possible, the mod_lisp directives can be per virtual server or even per location (see Apache documentation). IIRC you'll find examples for this in the mailing list archive if you dig deep enough.
I searched, but did not succeed in making it run. However, methinks that I may be better off anyhow using mod_proxy instead of mod_lisp. In any case, I was able to get Apache2/mod_proxy/Hunchentoot running nicely using the httpd.conf-lines ProxyPass /hunchentoot/ http://127.0.0.1:8005/ ProxyPassReverse /hunchentoot/ http://127.0.0.1:8005/ However, again two questions arise: 1. Omitting the trailing / makes the whole thing fail (which is in contradiction to the Hunchentoot docs). Why? 2. Is it possible to change the above setup such that it forwards secure connections? Thank you very much, Nicolas
On Fri, Mar 14, 2008 at 5:23 PM, Nicolas Neuss <neuss@math.uni-karlsruhe.de> wrote:
I searched, but did not succeed in making it run.
You should probably be able to do it by setting *meta-dispatcher* to a custom function which looks at the incoming port. However, as you say, mod_proxy may be a better option. Rob
On Fri, 14 Mar 2008 18:23:09 +0100, Nicolas Neuss <neuss@math.uni-karlsruhe.de> wrote:
ProxyPass /hunchentoot/ http://127.0.0.1:8005/ ProxyPassReverse /hunchentoot/ http://127.0.0.1:8005/
However, again two questions arise:
1. Omitting the trailing / makes the whole thing fail (which is in contradiction to the Hunchentoot docs). Why?
Hmm, not sure. I guess you'll have to look at the Apache docs. http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass
2. Is it possible to change the above setup such that it forwards secure connections?
Sure. Put the directives into a virtual server which serves https connections. IIUC that should be all you need.
On Fri, Mar 14, 2008 at 6:15 PM, Edi Weitz <edi@agharta.de> wrote:
On Fri, 14 Mar 2008 18:23:09 +0100, Nicolas Neuss < neuss@math.uni-karlsruhe.de> wrote:
ProxyPass /hunchentoot/ http://127.0.0.1:8005/ ProxyPassReverse /hunchentoot/ http://127.0.0.1:8005/
have you tried something like ProxyPass /hunchentoot/ggg http://127.0.0.1:8005/ggg<http://127.0.0.1:8005/> ProxyPassReverse /hunchentoot/ggg http://127.0.0.1:8005/ggg<http://127.0.0.1:8005/> ?
However, again two questions arise:
1. Omitting the trailing / makes the whole thing fail (which is in contradiction to the Hunchentoot docs). Why?
Hmm, not sure. I guess you'll have to look at the Apache docs.
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass
2. Is it possible to change the above setup such that it forwards secure connections?
Sure. Put the directives into a virtual server which serves https connections. IIUC that should be all you need. _______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
"Andrea Chiumenti" <kiuma72@gmail.com> writes:
> ProxyPass /hunchentoot/ http://127.0.0.1:8005/ > ProxyPassReverse /hunchentoot/ http://127.0.0.1:8005/
have you tried something like ProxyPass /hunchentoot/ggg http://127.0.0.1:8005/ggg ProxyPassReverse /hunchentoot/ggg http://127.0.0.1:8005/ggg
No, because at the moment, I do not have subdirectories.
On Fri, Mar 14, 2008 at 6:15 PM, Edi Weitz wrote:
> 2. Is it possible to change the above setup such that it forwards > secure connections?
Sure. Put the directives into a virtual server which serves https connections. IIUC that should be all you need.
I have tried now in httpd.conf the following: <VirtualHost localhost:443> ServerName localhost SSLEngine on SSLCertificateFile /home/neuss/CL-HOME/courses/server.cert SSLCertificateKeyFile /home/neuss/CL-HOME/courses/server.key ProxyPass /hunchentoot/ https://127.0.0.1:8005/ ProxyPassReverse /hunchentoot/ https://127.0.0.1:8005/ </VirtualHost> However, although https://127.0.0.1:8005/ works, when I access it with https://localhost/hunchentoot/, I see the following error in the log file: [2008-03-15 19:23:16 [ERROR]] Error while processing connection: The TLS/SSL connection on handle #.(SB-SYS:INT-SAP #X080FFD68) has been closed. (return code: 5)SSL error queue: Does anyone see what I'm doing wrong here? Thank you, Nicolas P.S.: Here is the longer backtrace: 0: ((LAMBDA (SWANK-BACKEND::DEBUGGER-LOOP-FN)) #<FUNCTION (LAMBDA #) {A8D0DDD}>) 1: (SWANK::DEBUG-IN-EMACS #<CL+SSL::SSL-ERROR-ZERO-RETURN {B0E36D1}>) 2: ((LAMBDA (SWANK-BACKEND::HOOK SWANK-BACKEND::FUN)) #<FUNCTION SWANK:SWANK-DEBUGGER-HOOK> #<CLOSURE (LAMBDA #) {B0E3905}>) 3: (SWANK::CALL-WITH-REDIRECTED-IO #<SWANK::CONNECTION {ADC8DC9}> #<CLOSURE (LAMBDA #) {B0E3915}>) 4: (SWANK::CALL-WITH-CONNECTION #<SWANK::CONNECTION {ADC8DC9}> #<CLOSURE (LAMBDA #) {B0E3905}>) 5: (INVOKE-DEBUGGER #<CL+SSL::SSL-ERROR-ZERO-RETURN {B0E36D1}>) 6: (INVOKE-DEBUGGER #<CL+SSL::SSL-ERROR-ZERO-RETURN {B0E36D1}>) 7: ((SB-PCL::FAST-METHOD HUNCHENTOOT:MAYBE-INVOKE-DEBUGGER (T)) #<unavailable argument> #<unavailable argument> #<CL+SSL::SSL-ERROR-ZERO-RETURN {B0E36D1}>) 8: ((LAMBDA (SB-PCL::.PV-CELL. SB-PCL::.NEXT-METHOD-CALL. SB-PCL::.ARG0.)) #<unavailable argument> #<unavailable argument> #<CL+SSL::SSL-ERROR-ZERO-RETURN {B0E36D1}>) 9: (SIGNAL #<CL+SSL::SSL-ERROR-ZERO-RETURN {B0E36D1}>) 10: (ERROR CL+SSL::SSL-ERROR-ZERO-RETURN) 11: (CL+SSL::SSL-SIGNAL-ERROR #.(SB-SYS:INT-SAP #X0810FC90) #<FUNCTION CL+SSL::SSL-ACCEPT> 5 0) 12: (CL+SSL::SSL-SIGNAL-ERROR #.(SB-SYS:INT-SAP #X0810FC90) #<FUNCTION CL+SSL::SSL-ACCEPT> 5 0) 13: (CL+SSL:MAKE-SSL-SERVER-STREAM #<unavailable lambda list>) 14: (HUNCHENTOOT::PROCESS-CONNECTION #<HUNCHENTOOT::SERVER {B74C2F1}> #<SB-BSD-SOCKETS:INET-SOCKET descriptor 11 {AE8D8A9}>) 15: ((LAMBDA ()))
Nicolas Neuss <neuss@math.uni-karlsruhe.de> writes:
<VirtualHost localhost:443> ServerName localhost SSLEngine on SSLCertificateFile /home/neuss/CL-HOME/courses/server.cert SSLCertificateKeyFile /home/neuss/CL-HOME/courses/server.key ProxyPass /hunchentoot/ https://127.0.0.1:8005/ ProxyPassReverse /hunchentoot/ https://127.0.0.1:8005/ </VirtualHost>
Success. Reading the apache2 error log I found out that I was missing the activation of SSLProxyEngine. The following works for me as much as I see: <VirtualHost localhost:443> ServerName localhost SSLEngine on SSLCertificateFile /home/neuss/CL-HOME/courses/server.cert SSLCertificateKeyFile /home/neuss/CL-HOME/courses/server.key SSLProxyEngine On SSLProxyCACertificateFile /home/neuss/CL-HOME/courses/server.cert ProxyPreserveHost On ProxyPass /hunchentoot/ https://127.0.0.1:8005/ ProxyPassReverse /hunchentoot/ https://127.0.0.1:8005/ </VirtualHost> Yours, Nicolas
On Thu, Mar 13, 2008 at 8:06 PM, Nicolas Neuss <neuss@math.uni-karlsruhe.de> wrote:
Hello,
I have two questions. The first is probably a stupid one: is it possible to serve both http and https on the same port? With one Hunchentoot instance?
More or less yes, take a look here http://common-lisp.net/project/claw/ it's not finished, but I'm near. kiuma
The second one should probably be asked at the mod_lisp mailing list: is it possible to put several Hunchentoot servers behind mod_lisp?
Thank you very much, Nicolas _______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
participants (5)
-
Andrea Chiumenti -
Edi Weitz -
Maciej Pasternacki -
Nicolas Neuss -
Robert Synnott