You almost certainly want to do SSL termination at the Apache level if you are running a Racket server behind Apache. This means that Apache will serve as a reverse proxy to your Racket web server, and all communications between Apache and the Racket process will be ordinary HTTP. When an HTTPS request reaches Apache, it will use the certificate that it knows about to perform SSL negotiation, then it will forward the decrypted HTTP request to your Racket server over ordinary HTTP. It will subsequently encrypt the response it receives, then send it back to the client. This means your Racket server doesn’t need to worry about SSL (probably a good thing, since Apache/nginx are better at that).
To do this, you can set up an Apache VirtualHost on port 443 with SSLEngine On and references to the locations of the relevant certificate files. Configure both hosts (either the main host and the virtual host, or just use two virtual hosts) to serve as a reverse proxy to the same Racket process over HTTP using mod_proxy. Alternatively, you can run your server behind some sort of cloud provider’s load balancer, which will implement SSL termination for you, and you won’t have to worry about any of this. Of course, then you have to deal with your cloud provider of choice. YMMV. > On Sep 26, 2017, at 3:24 PM, Matthew Butterick <m...@mbtype.com> wrote: > > The docs for "How do I use Apache with the Racket Web Server?" > demonstrate how to set up proxying between Apache and the Racket web > server within an .htaccess file. [1] > > That technique works. But only with ordinary HTTP. AFAICT it does not > work for HTTPS. > > What's the best way to make this work over HTTPS? > > > Here's the wrinkle I can't figure out: I have Let's Encrypt certs > applied to the main server. I can feed these to the Racket web server, > which will start up, but then the certs won't work on 'localhost' > references. > > You could say: well why not put the Racket web server at the top > level. OK, but then it's no longer behind Apache. > > I suppose I could put up a whole separate server, call it > "app.domain.com", and run the Racket web server at the top level. Then > get new Let's Encrypt certs for that server. Then proxy between the > original and this one. Maybe that would work, though it seems like > overkill. > > [1] > http://docs.racket-lang.org/web-server-internal/Troubleshooting_and_Tips.html?q=ssl#%28part._.How_do_.I_use_.Apache_with_the_.Racket_.Web_.Server_%29 -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
