stunnel secure access to seaside on Windows Server 2003 (IIS 6)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

stunnel secure access to seaside on Windows Server 2003 (IIS 6)

driverwriter
Hello all,

This is my first post to this list and I am not an expert on either  
squeak, seaside or server administration, but I did some research  
before posting, so please bear with me :)

I did a setup of the "one-click" version of squeak seaside on my home  
SBS server. I found a nice post about the headless setup as a service  
and got to the point that I can access my seaside from my client  
computers behind the Windows Server firewall (my intranet).

Now I would like to allow (mostly myself) to access the seaside site  
from outside the firewall as well similar to my main website and other  
services. Just allowing port 8080 to go through the firewall seemed a  
bit risky as all information to and from seaside is unencrypted  
(right??), although i did setup a separate user for seaside with  
minimal rights and the service is running seaside under that account.

My original idea was to use stunnel, similar to how I allow smtps to  
my server:
Basically I setup stunnel to accept secure connections on some port  
and forward it to 8080 which seaside is listening to. That works for  
the initial pages nicely, but when I am following links like  
"examples" seaside (or some part of the package) replaces the https:  
in the URL again with an http.

I found that under Configure I can set https and a port, but I am  
confused as the default port there is 80 and not the 8080 that the  
server is actually responding to. And by default nothing is configured  
there but the links work nicely from the intranet.

I also found an old post that was talking about using apache as a true  
proxy server, but that seems a bit overkill, as the seaside server  
quite nicely remembers a port that I specify in my original URL and  
remembers the hostname as well, so I am hoping that I am just missing  
something and can easily make it remember the "https:" from my first  
request URL as well.

So here are my questions:
- Is there a "configuration how to" that I missed when browsing the  
site?
- Or is there a way to actually search the previous posts about  
seaside (I can read the archives, but I haven't figured out how to  
search with gmane or pipermail.
- Or can somebody tell me the little trick that I need to achive what  
I want (I hope my post is not too convoluted, I am not a native eglish  
speaker and may be put too much information in this).
- Or can somebody give me a hint where to look for the URL generation  
in the code. I haven't searched yet as I am still trying to grasp  
basics of Pier and some more of Squeak itself.

Best Regards
Rainer Keller
- in search for the ultimate software platform to replace my index  
cards with...
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: stunnel secure access to seaside on Windows Server 2003 (IIS 6)

Rajeev Lochan
Hi Rainer,
I only know answer to one of your queries.

>Or is there a way to actually search the previous posts about
>seaside (I can read the archives, but I haven't figured out how to
>search with gmane or pipermail.

http://www.nabble.com/Squeak-f14152.html

There you can search Mailing list archives of Squeak/Seaside and other related stuffs

HTH,
Rajeev

On Jan 6, 2008 1:50 AM, Rainer Keller <[hidden email]> wrote:
Hello all,

This is my first post to this list and I am not an expert on either
squeak, seaside or server administration, but I did some research
before posting, so please bear with me :)

I did a setup of the "one-click" version of squeak seaside on my home
SBS server. I found a nice post about the headless setup as a service
and got to the point that I can access my seaside from my client
computers behind the Windows Server firewall (my intranet).

Now I would like to allow (mostly myself) to access the seaside site
from outside the firewall as well similar to my main website and other
services. Just allowing port 8080 to go through the firewall seemed a
bit risky as all information to and from seaside is unencrypted
(right??), although i did setup a separate user for seaside with
minimal rights and the service is running seaside under that account.

My original idea was to use stunnel, similar to how I allow smtps to
my server:
Basically I setup stunnel to accept secure connections on some port
and forward it to 8080 which seaside is listening to. That works for
the initial pages nicely, but when I am following links like
"examples" seaside (or some part of the package) replaces the https:
in the URL again with an http.

I found that under Configure I can set https and a port, but I am
confused as the default port there is 80 and not the 8080 that the
server is actually responding to. And by default nothing is configured
there but the links work nicely from the intranet.

I also found an old post that was talking about using apache as a true
proxy server, but that seems a bit overkill, as the seaside server
quite nicely remembers a port that I specify in my original URL and
remembers the hostname as well, so I am hoping that I am just missing
something and can easily make it remember the "https:" from my first
request URL as well.

So here are my questions:
- Is there a "configuration how to" that I missed when browsing the
site?
- Or is there a way to actually search the previous posts about
seaside (I can read the archives, but I haven't figured out how to
search with gmane or pipermail.
- Or can somebody tell me the little trick that I need to achive what
I want (I hope my post is not too convoluted, I am not a native eglish
speaker and may be put too much information in this).
- Or can somebody give me a hint where to look for the URL generation
in the code. I haven't searched yet as I am still trying to grasp
basics of Pier and some more of Squeak itself.

Best Regards
Rainer Keller
- in search for the ultimate software platform to replace my index
cards with...
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside



--
Rajeev Lochan

Co-founder, AR-CAD.com

http://www.ar-cad.com
+91 9243468076 (Bangalore)
080 65355873
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: stunnel secure access to seaside on Windows Server 2003 (IIS 6)

Philippe Marschall
In reply to this post by driverwriter
2008/1/5, Rainer Keller <[hidden email]>:

> Hello all,
>
> This is my first post to this list and I am not an expert on either
> squeak, seaside or server administration, but I did some research
> before posting, so please bear with me :)
>
> I did a setup of the "one-click" version of squeak seaside on my home
> SBS server. I found a nice post about the headless setup as a service
> and got to the point that I can access my seaside from my client
> computers behind the Windows Server firewall (my intranet).
>
> Now I would like to allow (mostly myself) to access the seaside site
> from outside the firewall as well similar to my main website and other
> services. Just allowing port 8080 to go through the firewall seemed a
> bit risky as all information to and from seaside is unencrypted
> (right??), although i did setup a separate user for seaside with
> minimal rights and the service is running seaside under that account.

Right, all traffic in unencrypted, this includes forms and passwords.

> My original idea was to use stunnel, similar to how I allow smtps to
> my server:
> Basically I setup stunnel to accept secure connections on some port
> and forward it to 8080 which seaside is listening to. That works for
> the initial pages nicely, but when I am following links like
> "examples" seaside (or some part of the package) replaces the https:
> in the URL again with an http.

Seaside itself is no webserver, it can not do https. These settings
are only for the urls generated by Seaside, eg. the <a href="" stuff
in the html. They do not affed the web server in any way. You'd need
them for example if you run Seaside behind some proxies for example.

> I found that under Configure I can set https and a port, but I am
> confused as the default port there is 80 and not the 8080 that the
> server is actually responding to. And by default nothing is configured
> there but the links work nicely from the intranet.
>
> I also found an old post that was talking about using apache as a true
> proxy server, but that seems a bit overkill, as the seaside server
> quite nicely remembers a port that I specify in my original URL and
> remembers the hostname as well, so I am hoping that I am just missing
> something and can easily make it remember the "https:" from my first
> request URL as well.

IMHO using a reverse proxy is the way to go. Most people use Apache so
you'll naturally find most information about it. However since you
already have a webserver (IIS) installed, I'd rather use this one as a
reverse proxy than install an other one.

Cheers
Philippe

> So here are my questions:
> - Is there a "configuration how to" that I missed when browsing the
> site?
> - Or is there a way to actually search the previous posts about
> seaside (I can read the archives, but I haven't figured out how to
> search with gmane or pipermail.
> - Or can somebody tell me the little trick that I need to achive what
> I want (I hope my post is not too convoluted, I am not a native eglish
> speaker and may be put too much information in this).
> - Or can somebody give me a hint where to look for the URL generation
> in the code. I haven't searched yet as I am still trying to grasp
> basics of Pier and some more of Squeak itself.
>
> Best Regards
> Rainer Keller
> - in search for the ultimate software platform to replace my index
> cards with...
> _______________________________________________
> seaside mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

RE: stunnel secure access to seaside on Windows Server 2003(IIS 6)

Ramon Leon-5
> IMHO using a reverse proxy is the way to go. Most people use
> Apache so you'll naturally find most information about it.
> However since you already have a webserver (IIS) installed,
> I'd rather use this one as a reverse proxy than install an other one.
>
> Cheers
> Philippe

IIS, as a reverse proxy, LMAO, haven't used IIS much I see.  See
http://onsmalltalk.com/programming/smalltalk/running-seaside-apache-and-iis-
on-windowsxp/, save yourself some effort, and just install Apache, IIS
sucks.  Apache can reverse proxy to IIS for anything that requires IIS.

Ramon Leon
http://onsmalltalk.com 

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: stunnel secure access to seaside on Windows Server 2003 (IIS 6)

driverwriter
In reply to this post by Rajeev Lochan
Thank you very much !

- Rainer

On Jan 6, 2008, at 8:57 AM, Rajeev Lochan wrote:

Hi Rainer,
I only know answer to one of your queries.

>Or is there a way to actually search the previous posts about
>seaside (I can read the archives, but I haven't figured out how to
>search with gmane or pipermail.

http://www.nabble.com/Squeak-f14152.html

There you can search Mailing list archives of Squeak/Seaside and other related stuffs

HTH,
Rajeev

On Jan 6, 2008 1:50 AM, Rainer Keller <[hidden email]> wrote:
Hello all,

This is my first post to this list and I am not an expert on either
squeak, seaside or server administration, but I did some research
before posting, so please bear with me :)

I did a setup of the "one-click" version of squeak seaside on my home
SBS server. I found a nice post about the headless setup as a service
and got to the point that I can access my seaside from my client
computers behind the Windows Server firewall (my intranet).

Now I would like to allow (mostly myself) to access the seaside site
from outside the firewall as well similar to my main website and other
services. Just allowing port 8080 to go through the firewall seemed a
bit risky as all information to and from seaside is unencrypted
(right??), although i did setup a separate user for seaside with
minimal rights and the service is running seaside under that account.

My original idea was to use stunnel, similar to how I allow smtps to
my server:
Basically I setup stunnel to accept secure connections on some port
and forward it to 8080 which seaside is listening to. That works for
the initial pages nicely, but when I am following links like
"examples" seaside (or some part of the package) replaces the https:
in the URL again with an http.

I found that under Configure I can set https and a port, but I am
confused as the default port there is 80 and not the 8080 that the
server is actually responding to. And by default nothing is configured
there but the links work nicely from the intranet.

I also found an old post that was talking about using apache as a true
proxy server, but that seems a bit overkill, as the seaside server
quite nicely remembers a port that I specify in my original URL and
remembers the hostname as well, so I am hoping that I am just missing
something and can easily make it remember the "https:" from my first
request URL as well.

So here are my questions:
- Is there a "configuration how to" that I missed when browsing the
site?
- Or is there a way to actually search the previous posts about
seaside (I can read the archives, but I haven't figured out how to
search with gmane or pipermail.
- Or can somebody tell me the little trick that I need to achive what
I want (I hope my post is not too convoluted, I am not a native eglish
speaker and may be put too much information in this).
- Or can somebody give me a hint where to look for the URL generation
in the code. I haven't searched yet as I am still trying to grasp
basics of Pier and some more of Squeak itself.

Best Regards
Rainer Keller
- in search for the ultimate software platform to replace my index
cards with...
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside



--
Rajeev Lochan

Co-founder, AR-CAD.com

http://www.ar-cad.com
+91 9243468076 (Bangalore)
080 65355873 _______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside


_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: stunnel secure access to seaside on Windows Server 2003 (IIS 6)

driverwriter
In reply to this post by Philippe Marschall
Seaside itself is no webserver, it can not do https. These settings
are only for the urls generated by Seaside, eg. the <a href="" stuff
in the html. They do not affed the web server in any way. You'd need
them for example if you run Seaside behind some proxies for example.

I understand. But precisely those seem to give me problems.
My current guess is that Seaside always generates http:// even if the original request came in as https://
But I am really a newbie in this, I will poke around in the code and get a better uderstanding before bugging people more :)


IMHO using a reverse proxy is the way to go. Most people use Apache so
you'll naturally find most information about it. However since you
already have a webserver (IIS) installed, I'd rather use this one as a
reverse proxy than install an other one.

Yes, I had read about that as well.
And I had found comments similar to what Ramon posted in his reply ;)
And I had looked through the IIS configuration pages. 
From my googling and poking around it seems that IIS is not a proxy server. You need to have ISA installed to get that. And ISA got too interfering with the access for my local clients, so I uninstalled it again.

I just prefer to have as simple a server setup as possible, so I rather won't mess with adding apache on top of IIS. From what I understand stunnel is giving me what I need in regards to security. If I can figure out how to have seaside leave the https intact when generating URLs I thik I am set. And I might even not be the only one who would like that, I can imagine other people would like to be able to do a simple secure seaside configuration for their little home networks as well.

I found a post on the seaside pages that looked interesting:
In the FAQ is a entry about "How do I get the requester's IP address?".
That apears to me a good starting point to find what seaside knows about incoming requests, right?
And this means that the actual web servers in front of seaside are Korn, Swazoo or WebKit, right?

Thanks for your answer!
- Rainer



Cheers
Philippe

So here are my questions:
- Is there a "configuration how to" that I missed when browsing the
site?
- Or is there a way to actually search the previous posts about
seaside (I can read the archives, but I haven't figured out how to
search with gmane or pipermail.
- Or can somebody tell me the little trick that I need to achive what
I want (I hope my post is not too convoluted, I am not a native eglish
speaker and may be put too much information in this).
- Or can somebody give me a hint where to look for the URL generation
in the code. I haven't searched yet as I am still trying to grasp
basics of Pier and some more of Squeak itself.

Best Regards
Rainer Keller
- in search for the ultimate software platform to replace my index
cards with...
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside


_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside