GCP Compute Engine Hosting Two HTTPS Website - ssl

I have a Windows instance from GCP Compute Engine. I have a website on the server using IIS, for a time. It is perfectly working with SSL certificate.
Yet, now we want to host another website on the server. I had opened the website yesterday, all the DNS's are configured and it is also working
well expect it has a HTTPS connection. I bought a SSL certificate and it is issued and ready for use. However, I forget that IIS works with SSL's in a way that the most recent SSL is accepted for specific IP and all the websites would start consuming that, the newest, one. That is why I was trying to obtain new IP but could not figure it out. Then I simply tried traditional way to have a new IP and wanted to assign to new site. Then on IPv4 configurations, it says 'DHCP Enabled'. So I stuck there and could not go to the next steps.
GCP have really complicated documentations on this issue none was really clearly expressing it. I found some solutions like I might start with enabling IP Forwarding yet I also could not find on documentations how to do it.
In short, I had a website with SSL and I have opened a new website on the same machine. Of course, their IP's are same so I would like to be able to obtain a new IP without changing the previous site's IP. I just did not know and could not find how to do it.
I would be appreciated if someone can help me to figure out how to obtain new IP for the new site so that I can use my issued SSL certificate for the website.
Thanks!

It is not directly possible to assign more than 1 IP per VM. However, you can have any number of external IP addresses by referencing the instance through forwarding rules and target pools, which is explained in this document.
You may also work out this without lb but only with forwarding rule / Protocol Forwarding. More about the concept is discussed here

Related

How to use an existing SSL certificate for a LAN server?

I am creating a new LAN server with https enabled in my organization, and I am having a hard time figuring out how to work out SSL Certs. Manually creating a cert and adding it to a specific computer's browser allows that computer to access the local https site, but installing it manually on each computer in the network is not realistic. Is there any way to use a group policy to add a new one to all the computers, or use an existing SSL cert to validate my website? There is one existing one for the organization already, which I noticed is on all the computers on the network already, but I'm not sure how to use it.
This may be a stupid question, but basically I just need a local server to use https. Any help would be great.

IIS 8 (Server 2012) Site Binding Not Working Works When No Site Name Is Specified

I've run into a strange problem. If I put a site name in the site bindings, the Default Web Site on ISS is not recognizing it. Suppose I leave it blank, then I'm able to get the pages but they show up with the server IP address.
This is a problem because with SSL, it will either not serve pages or it will give me a site warning.
Note that I have the DNS working of GoDaddy with forwarding and masking to the public IP of my EC2 instance on AWS.
All of this started overnight when the SSL cert expired. I have since put a new certificate that's valid but I cannot get the site working again.
I've done a lot of debugging including diffing the old configuration that was working with the new one and I'm not able to understand why this happens.
Setting the site name causes both http and https to not work.
Much appreciate any help in solving this - Thanks in advance!
This appears to be a problem with masking with forwarding provided by the domain host Go-Daddy. For some reason, with masking with forwarding, the response is enclosed in a frame and that frame says the src is the public IP address of the server rather than the domain name.
I also think that there is a problem with https forwarding with masking. While the reason this problem happened is not clear, for now, the fix has been to change the domain from masking with forwarding for http requests alone to point at the http server public IP address.
This is not the ideal solution but at least has the website back up and running. I'll post an update once I know more about masking with forwarding and why that suddenly stopped working.

Is certificate authorization via HTTPS possible?

I am using the Let's Encrypt IIS client from https://github.com/Lone-Coder/letsencrypt-win-simple to generate a certificate for a server. Since the certificate is only valid for three months, I want it to auto-renew.
But the server for which I need that auto-renewing certificate is only bound to https:||mysubdomain.mydomain.com:443 and smtp:||mysubdomain.mydomain.com:25.
Both http:||mysubdomain.mydomain.com:80 and ftp:||mysubdomain.mydomain.com:21 point to a different server.
As you may have guessed, the error that is now thrown during the process is "The ACME server was probably unable to reach http:||mysubdomain.mydomain.com:80/.well-known/acme-challenge/abcdefgh...xyz".
It is completely clear to me why, but I can't fix it, because http:||mysubdomain.mydomain.com has to point to the other server. If the ACME server would try https:||mysubdomain.mydomain.com:443/.well-known/acme-challenge/abcdefgh...xyz, but ignore any certificate issue, he would successfully find the challenge.
Is there anything I can do, any feature I have overlooked, that would help me to get automated renewal working?
There are multiple options:
http-01
Redirect http://example.com/.well-known/acme-challenge/* to https://example.com/.well-known/acme-challenge/*, Boulder will happily follow any such redirect and ignore the provided certificate. That's the most simple way if you have access to the other server and can configure that redirect. It's a permanent redirect that you don't have to adjust, it'll be just fine every three months.
The option to use HTTPS directly has been removed due to security issues with some popular server software that uses the first host defined if some other virtual host doesn't define any HTTP host, which might lead to wrong issuances in multi-user environments aka shared hosting.
tls-sni-01
If you want to use just port 443, you can use another challenge type called tls-sni-01. But I think there's no client for Windows available yet that supports that challenge type.
dns-01
If you have control over the DNS via a simple API, you could also use the DNS challenge, it's completely independent of the port you can use.

Protect home (webserver's) dynamic ip from reverse DNS issue

this is my first question here =)
I'm setting my webserver at home (trying both apache and nginx) and I've found that you can easily get and use free dynamic dns (sub) domain to make your server available not only with your home ip that would be changed next time after disconnect and connect to the internet. Actually I've made it working and it's great..
But the problem is that my personal unique data (account id/machine name) could be retrieved with reverse dns look up and I can not hide my real ip that is attached to server.
You can use proxy while browsing the internet, but how to proxy your web server (apache) that have free dyn dns (sub) domain?
I've already tried to create VirtualHost configurations, also with the use of proxy modules (mod_proxy, mod_proxy_http, mod_proxy_html) and additionally with proxifier tool, but no luck.
Some people say that it is possible to hide ip with nginx, but I never used to work with nginx. Still believe it is also possible with Apache, just can't figure it out.
I'm using private proxy in format [proxyip:port]. I must attach it everytime to my home ip to make it work. Maybe it's better to get login/password auth proxy, but at first I should find the way how to use it with web server.
Is there anyone who have luck with it? Can you explain, please, the proper config for apache? Currently I'm using version 2.4.
Many thanks and have a good day!

SSL Multiple Servers

Good Afternoon,
I wanted to ask this question regarding SSL certificates. Our company manages several servers. For example:
location1.domain.com
location2.domain.com
location3.domain.com
Each of the links goes to a different server with different IP as it pertains to connecting to the system from the outside world. And at each location, there are browsers that connect to each server on the local network to the same network.
For example:
192.168.2.130
The server is an apache2 running ubuntu server 14. In addition, in all the tutorials that I have looked at, one needs to know the IP address of the machine. With many of these locations, the IP address often changes. They have dynamic IPs. What I was wondering is what kind of SSL certificate do I need? I thought about the wildcard certificate but did know if it was an overkill. I also would like for the location users within each location to not see the error message that comes from not having a correctly signed SSL certificate. Thanks in advance.
George
Unless the number of location is constantly changing, you don't need a wildcard certificate. Just get one per location. Certificates should always be assigned to a name, not ip, so how the request is routed doesn't really matter.
If the internal users actually connect via IPs, rather than names, that's something you need to fix, because you have to bind the certificate to a stable name. If you want the internal users to skip the global routing, you can use something like split-horizon dns for it. (basically you serve your local users different dns answers than the ones you publish to the internet)