Re: [AOLSERVER] multi protocol question
When you say "integrated security" are you talking about the NTLM auth scheme for HTTP? As long as mod_proxy properly handles HTTP Keep-Alive, and recent Apache mod_proxy does, NTLM auth should work just fine. We're talking about different things. In Unix, you can use Apache/mod_proxy + AOLServer to combine url spaces and use AOLServer much like an app server. Agreed In Windows, you can use an Apache reverse proxy to combine AOLServer and IIS URL spaces, but only IIS will be able to do the NTLM handshaking required to get a network ID. AOLServer would sit behind Apache and get the proxied Apache request without any single sign-on info at all. There are several ways to do this with Apache (mod_ntlm, gssapi), but they're complicated, buggy, get broken by windows service packs, or all of the above. I'd be happy to work on an initial proof-of-concept implementation if you think there's a real application for it. YES! Please -- it would be insanely great to have a starting point. I'm still not convinced that anyone would seriously run AOLserver as a FastCGI app. fronted with another webserver. Or, to rephrase: anyone who's willing to do so with the necessary performance impact that it will entail ought to look at a simpler solution like mod_proxy or some other reverse proxy software. Do you have a sense for how much slower this would be? Are we talking about a fractional performance hit or order of magnitude? (I am not convinced sane people would choose e.g. Cold Fusion, but that didn't seem to effect its popularity) I'm not sure about the fastcgi library's thread safety... that will be easy to find out. Yes and no. If the code is definitely not thread-safe, it's probably documented. However, often code will be declared thread-safe that isn't ... that's when we'll feel pain. :-) FastCGI has the benefit to being as old a technology as AOLServer (older?). It's very likely someone has done what you want to do, and has uncovered the hiccups. I'll ask. John Sequeira http://www.oreillynet.com/pub/au/1780 -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] multi protocol question
On 2005.02.08, John Sequeira <[EMAIL PROTECTED]> wrote: > > I believe for most of the world's departmental web servers which run > IIS, mod_proxy is not really a good option. Although it runs well on > Windows and could sit in front of IIS/AOLServer, it breaks important > things like integrated security, and you end up with a few more > moving parts than you really want to have. When you say "integrated security" are you talking about the NTLM auth scheme for HTTP? As long as mod_proxy properly handles HTTP Keep-Alive, and recent Apache mod_proxy does, NTLM auth should work just fine. Integrated Windows Authentication http://www.microsoft.com/resources/documentation/iis/6/all/proddocs/en-us/sec_auth_intwinauth.mspx | Integrated Windows authentication (formerly called NTLM, and also | referred to as Windows NT Challenge/Response authentication) [...] Perhaps there's another way it "breaks" NTLM auth that I'm not aware of, but a quick Google indicates mod_proxy can be used just fine in front of IIS with NTLM auth: http://lists.samba.org/archive/jcifs/2003-November/002750.html > I didn't realize that a standard module might be able to handle this. > So this doesn't necessarily require a core hack unless it has special > thread or performance requirements? That's my assumption based on my limited understanding of FastCGI, yes. I'd be happy to work on an initial proof-of-concept implementation if you think there's a real application for it. I'm still not convinced that anyone would seriously run AOLserver as a FastCGI app. fronted with another webserver. Or, to rephrase: anyone who's willing to do so with the necessary performance impact that it will entail ought to look at a simpler solution like mod_proxy or some other reverse proxy software. > And even if it does, the multi-protocol patches that may make it into > 4.1.0 would address this type of extensibility? The improvements in 4.1.0 may or may not have any bearing on either serving FastCGI under AOLserver and/or making AOLserver run as a FastCGI app. under another webserver. It depends on what support in the core is actually required to make either work. > I'm not sure about the fastcgi library's thread safety... that will be > easy to find out. Yes and no. If the code is definitely not thread-safe, it's probably documented. However, often code will be declared thread-safe that isn't ... that's when we'll feel pain. :-) -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] multi protocol question
Dossy Shiobara PANOPTIC.COM> writes: > To clarify, you want AOLserver to act as a FastCGI client? Can you > explain the benefit of this approach, rather than having the front-end > webserver simply proxy HTTP requests to AOLserver? This is where the > Apache team is going with Tomcat with their mod_ajp connector for > mod_proxy. Granted, the inter-server protocol will be AJP and not HTTP, > but is that a material difference? > Thanks for such a comprehensive response :-) I believe for most of the world's departmental web servers which run IIS, mod_proxy is not really a good option. Although it runs well on Windows and could sit in front of IIS/AOLServer, it breaks important things like integrated security, and you end up with a few more moving parts than you really want to have. > So, I suggest the name "nsfastcgisock" (akin to "nssock" which probably > should be named "nstcpsock" for clarity). If the FastCGI Dev. Kit is > thread-safe, we can just use FCGI_Accept() and take the data it hands > back and craft a Ns_Conn request and do normal request processing and > then send back the response however FastCGI wants it. /OR/, if we don't > get adequate performance this way, we implement another DriverThread > that speaks the FastCGI protocol and does its own socket handling. > I didn't realize that a standard module might be able to handle this. So this doesn't necessarily require a core hack unless it has special thread or performance requirements? And even if it does, the multi-protocol patches that may make it into 4.1.0 would address this type of extensibility? I'm not sure about the fastcgi library's thread safety... that will be easy to find out. John Sequeira http://www.oreillynet.com/pub/au/1780 -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] multi protocol question
On 2005.02.08, Rick Cobb <[EMAIL PROTECTED]> wrote: > We're interested in using this work, too. A lot of our deployments > (especially those that are focused on getting live [no-refresh] > updates via JavaScript) end up being slowed down by the requirement to > adapt to Javascript cross-domain security; we'd like to be able to run > as an appserver behind other web servers, if it was easy. If "other webservers" we mean Apache, it should already be possible to use Apache's mod_proxy to turn Apache into a reverse proxy in front of AOLserver. Using mod_rewrite, you could do this selectively for only a subset of URLs to be passed through to AOLserver. I'm not sure what additional "support" we could incorporate into the core to make this work better. And, whatever that enhancement would be wouldn't really benefit anyone unless a complimentary change was made to Apache to take advantage of it ... -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] multi protocol question
On 2005.02.08, John Sequeira <[EMAIL PROTECTED]> wrote:
> I have a question regarding the multi-protocol patches discussed on
> the list in August. Was a decision made on these? Is it likely that
> AOLServer core would include this support anytime soon?
It depends on how you define "soon" but my answer is "yes, definitely."
I'm hoping it's something we can get into 4.1.0. It can already be
"hacked into" the 4.0.x tree, but "hacked" is the reason I'm not
enthusiastic about doing it ...
> I'm investigating whether it would be an option to add FastCGI support
> to AOLServer. I and a few others would like for Openacs to add other
> webservers to it's list of supported platforms while stealthily running
> AOLServer as an app server tier. This would get around a lot of the
> checkbox-based resistance encountered in the early sales process, and
> (we think) would allow organizations to consider AOLServer even if their
> infrastructure is locked into a particular web server.
To clarify, you want AOLserver to act as a FastCGI client? Can you
explain the benefit of this approach, rather than having the front-end
webserver simply proxy HTTP requests to AOLserver? This is where the
Apache team is going with Tomcat with their mod_ajp connector for
mod_proxy. Granted, the inter-server protocol will be AJP and not HTTP,
but is that a material difference?
To make AOLserver act as a FastCGI client, I'm thinking we should/could
be able to do this without any changes to the AOLserver core.
I would suggest we reserve the "nsfastcgi" module name for the module
which allows AOLserver to run FastCGI apps under it. (And, you can
already kinda do this today using the cgi-fcgi program to run FastCGI
apps as normal CGI under AOLserver.)
So, I suggest the name "nsfastcgisock" (akin to "nssock" which probably
should be named "nstcpsock" for clarity). If the FastCGI Dev. Kit is
thread-safe, we can just use FCGI_Accept() and take the data it hands
back and craft a Ns_Conn request and do normal request processing and
then send back the response however FastCGI wants it. /OR/, if we don't
get adequate performance this way, we implement another DriverThread
that speaks the FastCGI protocol and does its own socket handling.
Obviously, the more refactoring that happens to the AOLserver core to
decouple the network I/O from the ADP/HTTP request processing, the
easier this will be to implement. However, I don't immediately see
reasons why an nsfastcgisock ("nsfcgisock"?) can't be implemented today,
with minimal changes to the core. And, if those changes to the core can
be implemented by properly refactoring and decoupling the code, I'm all
for it.
-- Dossy
--
Dossy Shiobara mail: [EMAIL PROTECTED]
Panoptic Computer Network web: http://www.panoptic.com/
"He realized the fastest way to change is to laugh at your own
folly -- then you can let go and quickly move on." (p. 70)
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]>
with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject:
field of your email blank.
Re: [AOLSERVER] multi protocol question
We're interested in using this work, too. A lot of our deployments (especially those that are focused on getting live [no-refresh] updates via JavaScript) end up being slowed down by the requirement to adapt to Javascript cross-domain security; we'd like to be able to run as an appserver behind other web servers, if it was easy. -- Rick Cobb > -Original Message- > From: AOLserver Discussion > [mailto:[EMAIL PROTECTED] Behalf > Of John Sequeira > Sent: Tuesday, February 08, 2005 10:51 AM > To: AOLSERVER@LISTSERV.AOL.COM > Subject: [AOLSERVER] multi protocol question > > > I have a question regarding the multi-protocol patches > discussed on the > list in August. Was a decision made on these? Is it likely that > AOLServer core would include this support anytime soon? > > I'm investigating whether it would be an option to add FastCGI support > to AOLServer. I and a few others would like for Openacs to add other > webservers to it's list of supported platforms while > stealthily running > AOLServer as an app server tier. This would get around a lot of the > checkbox-based resistance encountered in the early sales process, and > (we think) would allow organizations to consider AOLServer > even if their > infrastructure is locked into a particular web server. > > John Sequeira > http://www.oreillynet.com/pub/au/1780 > > > -- > AOLserver - http://www.aolserver.com/ > > To Remove yourself from this list, simply send an email to > <[EMAIL PROTECTED]> with the > body of "SIGNOFF AOLSERVER" in the email message. You can > leave the Subject: field of your email blank. > -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
