s c h e m a t i c s : c o o k b o o k

/ Cookbook.HttpsWebservering

This Web


WebHome 
WebChanges 
TOC (with recipes)
NewRecipe 
WebTopicList 
WebStatistics 

Other Webs


Chicken
Cookbook
Erlang
Know
Main
Plugins
Sandbox
Scm
TWiki  

Schematics


Schematics Home
Sourceforge Page
SchemeWiki.org
Original Cookbook
RSS

Scheme Links


Schemers.org
Scheme FAQ
R5RS
SRFIs
Scheme Cross Reference
PLT Scheme SISC
Scheme48 SCM
MIT Scheme scsh
JScheme Kawa
Chicken Guile
Bigloo Tiny
Gambit LispMe
GaucheChez

Lambda the Ultimate
TWiki.org

Using Apache as a HTTPS front end for the PLT web server

Problem

The PLT web server does not accept HTTPS connections on it's own.

Solution

Use Apache to proxy the HTTPS requests for the PLT web server

First set up the PLT web server on port 8080. Instructions for that are found here: WebPLTWebServer (http://schemecookbook.org/Cookbook/WebPLTWebServer)

Once that's running (and you've tested that it's working), then install apache2. Apache2 will normally install by default install on port 80 as a HTTP server. Test it by going to http://localhost/. You should be able to see the default Apache page. Once you can see it, add:

  LoadModule ssl_module modules/mod_ssl.so

to /etc/apache2/httpd.conf and add the following options to the apache2: -D SSL -D SSL_DEFAULT_VHOST {on gentoo this is found in /etc/conf.d/apache2, and looks like: APACHE2_OPTS="-D DEFAULT_VHOST -D SSL -D SSL_DEFAULT_VHOST"}

This will load the HTTPS extensions, and will hopefully set up the default HTTPS page configuration for you. Test it by going to https://localhost/. If you see the default Apache page, then it worked.

Now we need it to send requests to the PLT server on port 8080. First, add the following module entries to /etc/apache2/httpd.conf:

  LoadModule rewrite_module modules/mod_rewrite.so
  LoadModule proxy_module modules/mod_proxy.so
  LoadModule proxy_connect_module modules/mod_proxy_connect.so
  LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
  LoadModule proxy_http_module modules/mod_proxy_http.so

Then add the following directory entry to the same file (/etc/apache2/httpd.conf):

  <Directory "/var/www/localhost/htdocs/">
    Options Indexes MultiViews FollowSymLinks SymLinksIfOwnerMatch
    AllowOverride None
    Order allow,deny
    Allow from all
    RewriteEngine On
    RewriteRule ^(.*)$ http://localhost:8080/$1 [P]
  </Directory>

Test it by going to:

  lynx https://localhost/servlets/examples/add.ss

If that works, we still have a security issue. Go to https://localhost/servlets/configure.ss. This allows you to reconfigure your system from a web browser on the local machine. Since Apache proxies the request through localhost, every request looks like it came from the local machine. We can stop this from happening. Do the following commands at the command shell on your system:

  bash# ifconfig lo:2 10.200.200.200
  bash# route add -host 10.200.200.200 lo:2

(note, these settings will clear upon reboot. you need to add it to the networking configuration files for your system if you want it to say permanent)

Now, in /etc/apache2/httpd.conf, change the RewriteRule to look like:

  RewriteRule ^(.*)$ http://10.200.200.200:8080/$1 [P]

So the whole directory entry in /etc/apache2/httpd.conf should now look like:

  <Directory "/var/www/localhost/htdocs/">
    Options Indexes MultiViews FollowSymLinks SymLinksIfOwnerMatch
    AllowOverride None
    Order allow,deny
    Allow from all
    RewriteEngine On
    RewriteRule ^(.*)$ http://10.200.200.200:8080/$1 [P]
  </Directory>

Discussion

Other issues:

  1. If you want Apache to serve pages other then the PLT web server, you can change the direcory entry to use ``/plt-ws'' instead of root, and use a filter like ExtFilterDefine plt mode=output cmd="/usr/bin/sed 's/\\/servlets;/\\/plt-ws\\/servlets;/'". However this is not ideal.
  2. You may want to configure the PLT web server so it only responds to 10.200.200.200, and localhost. (firewall/iptables, or plt config file?)
  3. Can/Should localhost confguration be disabled via a PLT web server configuration file?


Comments about this recipe

This article isn't pretty. Everyone should feel free to fix up this article. However, If you want to add platform specific info, please add it as a seperate "alternate platform" thread, instead of breaking the current commands ;)

-- TempOne - 29 Nov 2005

Note that this can also be done using pure PLT Scheme. The example at WebFetchingHttpsUrl shows how to fetch HTTPS URLs, which is done by creating a version of the URL module which uses SSL. Something similar can be done with the web server. PLT's handin-server collection provides an example of this - see web-status-server.ss in particular, which links web-server-unit.ss with ssl-tcp-unit.ss.

Even if this approach is used, the above entry may still be useful in various ways, including for purposes other than proxying HTTPS. Perhaps the bulk of the topic should be moved to a more general entry about proxying the PLT web server.

-- AntonVanStraaten - 29 Nov 2005

Contributors

-- TempOne - 29 Nov 2005

CookbookForm
TopicType: Recipe
ParentTopic: WebRecipes
TopicOrder: 055

 
 
Copyright © 2004 by the contributing authors. All material on the Schematics Cookbook web site is the property of the contributing authors.
The copyright for certain compilations of material taken from this website is held by the SchematicsEditorsGroup - see ContributorAgreement & LGPL.
Other than such compilations, this material can be redistributed and/or modified under the terms of the GNU Lesser General Public License (LGPL), version 2.1, as published by the Free Software Foundation.
Ideas, requests, problems regarding Schematics Cookbook? Send feedback.
/ You are Main.guest