I'm trying to get the following done:
A HTTP request comes into an address subdomain.domain.com to a public ip on a machine running a proxy (maybe apache? Anything better?)
Based on the subdomain, I'd like the request to be redirected to an internal machine on a private ip, and specific port. The response for that request will come from that internal machine.
What are my options? Any general guidelines out there for achieving this? Whats a good proxy implementation choice? Will also need to dynamically add subdomains over time, which redirect to specific internal ips/ports.
How do ssl certificates work in a setup with subdomains? Is a separate certificate required for every subdomain?
The setup isn't too hard. You just make a virtual host for each subdomain and configure the vhosts as proxies. The approach is the same regardless of which proxy software you choose. I recommend you to use Nginx as an reverse proxy since the configuration is easier and the performance is much better than Apache. If you still want to use Apache, make sure you do not run PHP on the proxy machine and use mpm_worker instead of mpm_prefork.
You can make a script which adds new subdomains to the configuration file. It shouldn't be too hard since they will look almost the same, except for the path to the SSL certificate and the IP of the backbone server.
For SSL you can use a wildcard certificate which will cover the entire domain, including subdomains. This is not supported on all platforms, but the support have grown in the last years so it should be pretty safe.
Otherwise, without a wildcard certificate, you will need a certificate and a separate IP address per subdomain (since the SSL connection is set up before the domain name is known, you will need to differentiate different certificates by different IPs).
Apache is perfectly reasonable for this problem. You can do virtual hosts which use mod_proxy:
<VirtualHost *:80>
ServerAdmin xxx#yyy.com
ServerName foo.yyy.com
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyErrorOverride On
ProxyPass / http://192.168.1.1/
ProxyPassReverse / http://192.168.1.1/
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>
If you were looking to host hundreds or thousands of sub-domains you could actually do this with mod_rewrite instead, with a trick involving local name lookups that allowed you to proxy bar.yyy.com to something like local.bar.yyy.com. Using mod_rewrite for mass virtual hosting is mentioned in the apache docs, using it to proxy instead of just rewrite is relatively straightforward. Doing it that way has the advantage that new sub domains can be added purely using DNS though.
In terms of SSL if you are just using *.yyy.com as the subdomains you can use a wildcard certificate (I neither recommend nor disapprove of thwate, they just had a reasonable description of it). In the general case though hosting multiple SSL sites behind a single public IP address is a bit more tricky.
Related
I'm planning on buying two domains.
Let's say they are domain1.com and domain2.com.
I will point them at two custom servers that I have on my computer, both of them having an HTML "browsable" endpoint.
I want to know if it's possible to point domain1.com to mycomputer:12345 and domain2.com to mycomputer:9876, so when you open, for example, domain2.com with your browser, it redirects the traffic to mycomputer:9876, without writing explicitly domain2.com:9876.
I've been searching for information about DNS records and reverse proxies, but I'm unable to figure out a way to achieve this, or something close to it.
Thanks for your time.
You can achieve this by using a reverse proxy server eg. nginx.
All you need to do is configure each domain to to the appropriate server and port in the nginx config.
Just for your information - At DNS level you can't mention ports, as DNS servers doesn't carry port information.
we have activated HTTP Strict Transport Security in production. It works well. But now, when wanting to use a subdomain to develop, the website is automatically redirected to https:
https://dev.tokeeen.com/app_dev.php/my-habits
Event if the host is set to 127.0.0.1
127.0.0.1 dev.tokeeen.com
Is there something to avoid this behavior? Of course I don't want to force the host for the main domain.
You are currently setting this on your main site:
Strict-Transport-Security max-age=63072000; includeSubDomain
If you change this to remove the includeSubDomain bit then it will only apply to your top level domain and not the dev sub domain:
Strict-Transport-Security max-age=63072000;
You then need to visit your production site to load this header and overwrite the existing one in your browser’s cache.
However this is less secure (for example someone could set up www.tokeeen.com and pretend to be your site with a bit of DNS manipulation for example).
But to be honest you should just use https on you’re dev site. The Internet is moving towards HTTPS and many new features do not work under plain HTTP. Additionally what you are developing is not similar to your production site so if you include http:// links instead of https:// for example you’ll suddenly see this failing when you release to production.
You look to use LetsEncrypt on your site so the cert is free. Do yourself a favour and just get another free one for your dev subdomain.
You have to get yourself a wildcard certificate as the ssl certificate is only for that domain. That's the whole point of having a secure site.
I'm not sure what server system you are using but in case you don't want to use wildcards and are ok with less secure, you can bind the other domains to
port 80 with the binding type http`
I am using alfresco community 5.0.d and its installed on AWS. I am able to use it via http but I am not able to use it via https.
I have added security listener to https in AWS and also modified alfresco-global.properties as below.
alfresco.context=alfresco
alfresco.host=127.0.0.1
alfresco.port=443
alfresco.protocol=https
share.context=share
share.host=127.0.0.1
share.port=443
share.protocol=https
Still no solution.
Could you let me know the steps or blog for the process.
Thanks.
Personally, I have not set this up on AWS myself, so I don't know how that will effect things and what AWS services you can use to help with some of this, but look at the docs around setting up Alfresco with SSL for test or prod depending on what you want. You need to update your tomcat config or put something in front of it.
http://docs.alfresco.com/5.0/tasks/configure-ssl-test.html
http://docs.alfresco.com/5.0/tasks/configure-ssl-prod.html
Also, if you're going to hit this from the internet (which I assume you are), you should change things from localhost to an IP or hostname. If you're doing SSL that really works, you'll want to use a real certificate and not just a self cert. In that case, you're going to need to make sure your hostname is registered and that the certificate is created against it.
As I said in my comment, this is not what has been asked, but as requested I am explaining my configuration.
I am warning everyone that I am not a network administrator, and even if I am using Alfresco on production use (with back up etc...) the website I am running is not under heavy load, or mission critical, and no-body is interested in hacking my website. So the scenario and configuration below may be unsuitable for you.
Scenario:
Host: one EC2 instance (Linux)
http blocked by EC2 rule, https only allowed
Apache listening to https
Alfresco 4.2 default installation, listening http
And the configuration for my domain:
<VirtualHost *:443>
ServerName mydomain.com
ServerAlias www.mydomain.com
DocumentRoot /alldomain/mydomain/https
ErrorLog path.to.log
SSLEngine on
SSLCertificateFile /path.to.crts/mydomain.crt
SSLCertificateKeyFile /path.to.keys/mydomain.key
SSLCertificateChainFile /path.to.pems/sub.class1.server.sha2.ca.pem
ProxyPass /share ajp://127.0.0.1:8009/share
ProxyPassReverse /share ajp://127.0.0.1:8009/share
ProxyPass /alfresco ajp://127.0.0.1:8009/alfresco
ProxyPassReverse /alfresco ajp://127.0.0.1:8009/alfresco
</VirtualHost>
As I also said I have many advantages:
Easier to renew and change certificates
I can redirect users when doing Alfresco maintenance
I can tune http cache to reduce load on Alfresco
I simply want both example.com and www.example.com to go to the same website. Currently we have just added a binding to each. This creates a problem for WCF which then breaks because it says it can only accept one http address.
Is there a better way to configure a site to accept addresses with or without 'www'?
this has to be changed in the dns using a host or a record.
You shouldn't be hosting a site on the root domain. Better approach here is to redirect traffic to the root (.example.com) to the correct site (www.example.com) using an HTTP 302.
The WCF service should only receive traffic on its single binding. Use DNS, HTTP redirection, or some Traffic management application/appliance to get traffic from multiple points to the correct one.
I have 2 servers. One Reverse proxy on the web and one on a private link serving WebDAV.
Booth servers are apache httpd v2.
On the proxy I have:
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /repo/ http : //share.local/repo/
ProxyPassReverse /repo/ http : //share.local/repo/
On the dav server I have:
<Location /repo/>
DAV on
Order allow,deny
allow from all
</Location>
The reverse proxy is accessed via https and the private server is accessed via http.
And there lies the problem!
Read only commands work fine. But when I want to move something I get 502 Bad gateway.
The reason for this is the reverse proxy not rewriting the url's inside the extended dav request.
The source URL is inside the header and is correctly transformed to http://share.local/file1.
The destination URL is inside some xml fragment I do not understand and stays https://example.com/file1 :(
Is there a standard way to let the apache correctly transform the request?
Thanks for your effort.
Hmm, found the answer. Always the same :)
I added the next line to my 'private server' config file:
LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
RequestHeader edit Destination ^https http early
(e.g. of config location '/etc/httpd/conf.d/DefaultRequestHeader.conf')
and it worked. I don't know if this has drawbacks. I'll see.
The destination URL shouldn't be in XML but in the "Destination" header, as you already noticed. Maybe you were looking at the error response...
In general, this problem would go away when clients and servers implement WebDAV level 3 (as defined in RFC4918), which allows the Destination header to be just a relative path.