In documentation basics, we find the following examples for configuration of the hosts YAML element:
Serving one domain:
hosts: [example.org]
Serving three domains:
hosts:
- example.net
- example.com
- jabber.somesite.org
(The above are of course just two different ways of writing a YAML "list", once using the bracket notation, once using the indent-with-hypen notation).
A bit later, we see:
## This ejabberd server has three vhosts:
hosts:
- one.example.org
- two.example.org
- three.example.org
This is confusing.
As I understand, an XMPP domain (e.g. example.com) can be serviced by several servers or hosts (e.g. one.example.com, two.example.com, three.example.com).
The configuration seems to commingle XMPP domain and server.
Is the XMPP domain deduced from the servername? For example, if I enter one.example.org, is the XMPP domain example.org - or is it one.example.org?
If I just give the domain name under hosts, do I have to map the domain name to an actual IP endpoint in DNS?
Additionally, an SSL certificate will be requested via ACME
Will this be a certificate for the XMPP domain (example.com) or for the server (one.example.com) or will it be a wildcard certificate?
Will the ACME service (of Letsencrypt, say) give me a certificate for example.org if I already have a certificate for the webserver of example.org?
You can even have:
hosts:
- example.net
- example.com
- jabber.somesite.org
- one.example.org
- two.example.org
- three.example.org
- 11.22.33.44
This sets 7 different XMPP vhosts, each one with their specific accounts, MUC service, PubSub service...
Clients can authenticate to accounts like jon#example.net, tim#two.example.org, bot7#11.22.33.44, ...
It is your duty, as system administrator, to setup DNS so the XMPP clients know the IP address where ejabberd is listening for them. Except for the 11.22.33.44 IP address, which obviously the clients already know where to connect to.
Notice that you can have ejabberd serving one.example.org, and same or different XMPP server, in same or different machine, serving eleven.example.org
Related
Guess this is the only post ever where I start with: "My SSL connection works but I don't know why".
I have a setup where the domain name and wildcard certificate lie on server A, and I want to use a subdomain of that domain to proxy requests to server B on another machine somewhere on the internet. Server B is currently only reachable via an IP, so I actually did not expect this to work, because SSL-certificates are based on domain names.
My setup is as follows (example):
Server A domain: www.production.io
Server A Subdomain: cus1.production.io
Server B IP: 65.23.523.12
Apache config for http of cus1.production.io:
RequestHeader set X-Forwarded-Proto "https"
ProxyPreserveHost On
Redirect / https://cus1.production.io/
Apache config for https of cus1.production.io:
ProxyPass / http://65.23.523.12/
ProxyPassReverse / http://65.23.523.12/
Calling cus1.production.io shows the application on 65.23.523.12 but with a secured connection (green lock) in the browser though the webserver on Server B does not offer https connections nor does it provide an SSL certificate.
Although the connection between a client and the "proxying" Server A is secure, the data transferred to the actual application is not. So this is actually a fraud.
Question: How do I make sure a secure connection will be applied between Server A and Server B?
It's not really "fraud", it's just that the SSL/TLS connection is ensured between the browser and Server A. The browser has nothing to do with Server B: Server A is the client to Server B.
If you can, set up SSL/TLS on Server B. Even if it's only accessible with an IP address, you could create your internal CA or a self-signed certificate. (That certificate should have this IP address in a SAN entry of IP address type.)
Then, you can use mod_ssl's SSLProxy* options to configure how Apache Httpd (on Server A) behaves as a client to server B (i.e. when it's a reverse proxy).
Typically, you'll need to set SSLProxyCACertificateFile (to point to your internal CA cert or that self-signed cert) and use SSLProxyCheckPeerName.
In short, it's up to you to make sure.
What you've just described is a common way of configuring SSL setups, where you have one set of servers that handle the secure connection to the browser, then they proxy the requests to another server, often just with http. This is known as ssl termination.
Usually this connection is done within a secure network, the servers hosting the certificates can be accessed from the internet, but the servers they forward to are not, so they don't proxy back across the internet. However, there is nothing in theory to prevent this if your servers aren't configured properly.
I'm trying to get visibility of two IBM MobileFirst apps trough two different domains, with two different IHS configurations (independent HTTP Server and Plugin configurations) using the same secure port (443). I mean, I have domain1.com and domain2.com, and I need to use the port 443 to communicate with the public users.
My app server is an IBM Liberty Profile. I found a question related (multiple domains at the same secure port) but is deployed on an IIS configuration.
The error that I can see at the log is:
192.168.252.123 - - [18/Apr/2017:04:29:36 -0400] "\x16\x03" 501 292
Googleing I found something related to this error on an Apache configuration and at the end of the article says:
Probably you have a section with a specific VirtualHost IP address conflicting with the default VirtualHost. A section something like this "VirtualHost 192.168.0.1:443" cannot be used with the default section like this "VirtualHost default:443".
When I take a look in my httpd.conf file I can't find another mention of a virtualhost or the port that I use.
Is this configuration possible or is absolutely neccesary to use different secure ports for both apps?
It is required to have two ports for two separate instances of an HTTP server, but it's generally not required to have two instances of an HTTP server simply to host two domain names.
Any release of IBM HTTP Server (IHS) can serve two certificates on two domains in one instance if the domains use a different IP address.
If they share an IP address, IHS prior to 9.0 requires a single certificate to be valid for both domains (wildcard, SubjectAltName).
IHS 9.0 supports SNI and 2 certs can be used on 2 domains with just a single IP address. The 9.0 manual has many examples. You'd be using 2 *:443 Virtual Hosts.
I have an application written in Symfony2 which basically is a website builder. There are many domains pointing to the server IP, the php app inspects the request and displays the contents associated to that domain.
Is there a way to install ssl certificates on Apache for every domain, every domain should have its own certificate, whithout having any Virtuahost?
Apache is configured to answer to every request on port 80 and 443
Apache permits only 1 certificate per configured host.
So to achieve your goals, you will either need to use a multidomain certificate and include all domain in that certificate. By default, most vendors limit you to 100 domains per certificate. Note that www.domain.com and domain.com count as 2 different domains for the purpose of multi-domain certificates.
https://wiki.apache.org/httpd/UnderstandingMultiUseSSLCertificates
Otherwise, you will need to configure Vhosts for each domain. Depending on your OS, you may be able to use SNI with Apache so you don't need unique IPs for each domain.
https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
I am trying to configure a remote server to host two or more development sites. My current approach was:
Hostname: somedev.something.somethingelse.com
Desired site 1: dev1.somedev.something.somethingelse.com
Desired site 2: dev2.somedev.something.somethingelse.com
I modified my hosts file so that:
dev1 127.0.0.1
dev2 127.0.0.1
I created a wildcard SSL certificate for my domain, and configured the bindings to use that SSL certificate.
However, while on the box locally I can access my sites at the desired sites, how can I expose this such that I can browse remotely?
You will either need to use a public DNS server to point those DNS names to the server's public IP address, configure your existing DNS server to point those names to the IPs (if you have a DNS server), or modify the hosts file on the machines you want to access it to point those names to the server's IP address
AFAIK, SSL is assigned to a single domain name (maybe several subdomains via wildcard).
On the other hand i heard that the webserver does not see the domain before it serves the ssl?
If I have multiple domains running as vhosts on one IP address:
Q1: Can the webserver serve the appropriate respective SSL to the sites?
Q2: Is there a way to have only one multi-domain SSL serving two domains on one IP?
Illuminate me out of confusion brought upon me by this seemingly self-contradictory quote:
Regular SSL Certificates are issued for a single FQDN (Fully Qualified
Domain Name). The domain using the certificate has to have its own
unique external IP address from which to be served. In practice, this
means that if you have multiple domains on a single IP address/server,
then you had to install a separate certificate on each domain you
wanted to secure.
The reason for this is the use of 'Host-Headers'. They allow a
web server to use a single IP address to serve many separate sites
with different FQDNs. They do this by identifying the incoming request
for a webpage, and routing it to the correct site accordingly.
When an SSL connection is initiated, the server must send a
certificate to the client - before it knows the host-header of the
request. The only identifying piece of data it has is the requested IP
address. As such, two or more sites on one IP address cannot use
different SSL certificates....
Q1> the web server doesn't need to know the domains embedded in an SSL cert. only the browser does since it's the one making sure the domain in the certificate matches the domain in the address bar. The web server just serves up the cert bound to the ip address, regardless of what domain is in the certificate.
Q2> what you describe is a SAN or UC certificate. They are designed to do what you stated, namely allow multiple domains to share one cert on one ip address. Check out this link on Subject alternative names for more info