I'm probably doing something dumb but I haven't been able to figure this out. My understanding of Apache is pretty limited.
Both apache and my Hunchentoot servers work fine w/o SSL. My Hunchentoot server works fine *with* SSL standalone (not behind mod_lisp). But when I try put it behind mod_lisp and hit the domain with a browser (https://makewavs.com/) the Hunchentoot server goes into debug with the following message:
The variable HUNCHENTOOT:*REPLY* is unbound. [Condition of type UNBOUND-VARIABLE]
Restarts: 0: [TERMINATE-THREAD] Terminate this thread (#<THREAD "hunchentoot-worker-305" {D41F4B9}>)
Backtrace: 0: ((SB-PCL::FAST-METHOD HUNCHENTOOT:LOG-MESSAGE (T #1="#<...>" . #1#)) #<unused argument> #<unused argument> :ERROR "Error while processing connection: ~A" #<CL+SSL::SSL-ERROR-INITIALIZE {D43AE31}>) Locals: HUNCHENTOOT::ARGS = (#<CL+SSL::SSL-ERROR-INITIALIZE {D43AE31}>) HUNCHENTOOT::FMT = "Error while processing connection: ~A" HUNCHENTOOT::LOG-LEVEL = :ERROR 1: ((LAMBDA (COND)) #<CL+SSL::SSL-ERROR-INITIALIZE {D43AE31}>) 2: ((LAMBDA (COND)) #<CL+SSL::SSL-ERROR-INITIALIZE {D43AE31}>) 3: (SIGNAL #<CL+SSL::SSL-ERROR-INITIALIZE {D43AE31}>) 4: (ERROR CL+SSL::SSL-ERROR-INITIALIZE) 5: (CL+SSL:MAKE-SSL-SERVER-STREAM #<unavailable lambda list>) 6: (HUNCHENTOOT::PROCESS-CONNECTION #<HUNCHENTOOT::SERVER {D03E4B1}> #<SB-BSD-SOCKETS:INET-SOCKET descriptor 7 {CCFAA79}>) 7: ((LAMBDA NIL)) 8: ("foreign function: call_into_lisp") 9: ("foreign function: funcall0") 10: ("foreign function: new_thread_trampoline") 11: ("foreign function: #xB7FB8604")
I have apache listening on port 443 and using mod_lisp to talk to a Hunchentoot server on port 4433. The relevant vhosts setup in apache is:
<VirtualHost *:443> ServerName makewavs.com ServerAlias makewavs.com *.makewavs.com ServerAdmin webmaster@makewavs.com DocumentRoot "/domains/makewavs.com/htdocs" CustomLog /domains/makewavs.com/logs/ssl_access_log combined ErrorLog /domains/makewavs.com/logs/ssl_error_log LogLevel debug <IfDefine SSL> SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /domains/makewavs.com/htdocs/CA/ca-cert.pem SSLCertificateKeyFile /domains/makewavs.com/htdocs/CA/private/ca-key.pem <Directory "/domains/makewavs.com/htdocs"> Options Indexes FollowSymLinks Order allow,deny Allow from all </Directory> <FilesMatch ".(gif|jpe?g|png|wav|mp3|ogg)$"> Options Indexes FollowSymLinks Order allow,deny Allow from all </FilesMatch> <LocationMatch ^/$> LispServer 127.0.0.1 4433 "makewavs-ssl" SetHandler lisp-handler SSLOptions +StdEnvVars </LocationMatch> <LocationMatch ^/.+.htm.*> LispServer 127.0.0.1 4433 "makewavs-ssl" SetHandler lisp-handler SSLOptions +StdEnvVars </LocationMatch> </IfDefine> </VirtualHost>
The log ends up saying:
[Thu Dec 28 12:33:31 2006] [info] Initial (No.1) HTTPS request received for child 65 (server makewavs.com:443) [Thu Dec 28 12:34:31 2006] [error] (70007)The timeout specified has expired: error reading from Lisp
I'm running apache-2.0.58-r2, hunchentoot-0.4.12/, SBCL 1.0 on a gentoo system, and I've read through the last 3 months of the devel-list without seeing anything relevant.
Any help would be appreciated.
Regards, --Jeff
I swear, I'm cursed. I resisted emailing the list for two hours and thought I'd tried everything. Not two minutes after I hit the send button I it occurs to me, "...if apache is handling SSL, maybe I need to *not* run SSL in Hunchentoot as its already been decoded..." So, I try running a straight Hunchentoot server and it works perfectly.
This being the case, is the converse also true? I mean, can I have apache run without SSL and run Hunchentoot with SSL? And if so, is there any security or other advantage to configuring one way rather than the other?
Sorry for the dumb questions.
--Jeff
On Thu, 28 Dec 2006 13:06:56 -0800, Jeffrey Cunningham jeffrey@cunningham.net wrote:
This being the case, is the converse also true? I mean, can I have apache run without SSL and run Hunchentoot with SSL?
No.
And if so, is there any security or other advantage to configuring one way rather than the other?
If you want everything to be secure, you should make sure that the connection between Apache and mod_lisp is not vulnerable to attacks. Preferably, they should be on the same machine on only communicate via localhost.
On Thu Dec 28, 2006 at 10:11:52PM +0100, Edi Weitz wrote:
If you want everything to be secure, you should make sure that the connection between Apache and mod_lisp is not vulnerable to attacks. Preferably, they should be on the same machine on only communicate via localhost.
That is the case. Thank you, very much.
-Jeff
On Thu, 28 Dec 2006 12:57:27 -0800, Jeffrey Cunningham jeffrey@cunningham.net wrote:
I'm probably doing something dumb but I haven't been able to figure this out. My understanding of Apache is pretty limited.
Both apache and my Hunchentoot servers work fine w/o SSL. My Hunchentoot server works fine *with* SSL standalone (not behind mod_lisp). But when I try put it behind mod_lisp and hit the domain with a browser (https://makewavs.com/) the Hunchentoot server goes into debug with the following message:
The variable HUNCHENTOOT:*REPLY* is unbound. [Condition of type UNBOUND-VARIABLE]
Of course, you have SSL disabled in Hunchentoot while it's behind Apache, don't you?
-
Edi Weitz -
Jeffrey Cunningham