I have a page with a URL like this:
https://ssl1.speedera.net/www.abcd.net?resourceID=5
I don't understand the need for the ssl1.speedera.net part. Can anyone explain?
You're almost certainly using a shared hosting service, which only offers SSL access via a single host name (ssl1.speedera.net), for which the host's certificate is set up. In this case www.abcd.net isn't really a host name, but just a directory (the convention is probably to use your host name as the directory name).
This is in general due to the fact that named virtual hosts are not as easy to set up. They require either adding your host name as an additional Subject Alternative Name in the shared host's certificate or additional configuration to support Server Name Indication for your host name via a different certificate (yours). Both these options would generally incur an additional cost, if offered at all by this provider.
Related
Say I have a HTTP server that has instances running on machines virt01 through virt09 which have CNAMEs svc01 through svc09. I want to add Kerberos auth to it.
Assume:
I'm on AD domain example.com
My host DNS entries are host#example.com
My Kerberos realm is EXAMPLE.COM,
From answers such as this one, I figured that the keytab has to contain entries such as:
HTTP/virt01.example.com#EXAMPLE.COM
...
HTTP/virt09.example.com#EXAMPLE.COM
HTTP/svc01.example.com#EXAMPLE.COM
...
HTTP/svc09.example.com#EXAMPLE.COM
in order for browsers and other clients (such as other non-interactive services) to be able to authenticate against the servers. Is the above correct?
If it is, a follow up question is - is there a way to make a "service alias" so to speak, so I can put just one entry in keytab:
HTTP/svc-alias.example.com#EXAMPLE.COM
somehow? This in order to be able to move the service to other hosts for example and not have to regen the keytab with a new host and CNAME added. Especially important for local testing. E.g. if this is tested on workstation583, a new keytab entry for that workstation would have to be made, which is really inconvenient.
If not possible, what is the easiest way to manage adding / removing hostnames? How is this done in practice with multi-server deployments to make it manageable?
Any resources answering any of the above are appreciated as well.
My company has a LAMP server, and I am not an expert at web hosting but I manage basic tasks.
My server currently hosts about twelve different domains. Each domain has a .conf file in the sites-enabled directory, and they work fine. Let's say we have example1.com, example2.com, and example3.com, just to hopefully help explain this question.
Recently, a person I work with registered a bunch of new domains. With the domain registrar, they pointed the domains to our IP address. I believe this is called "parking" a domain. I have not set up a .conf file or enabled any of these new domains on our server yet. Let's say they are newsite1.com, newsite2.com, etc...
What's puzzling to me is that if one types one of the new domains into a browser, one of our existing domain shows up. Let's say it's example1.com. So, if you go to a browser and type in newsite1.com, or newsite2.com, you are taken to example1.com. Also, in the address bar at the top of the browser, it will be displayed as example1.com.
This is not the desired behaviour. For one thing, we did not choose, as far as I know, for example1.com to be the default, and it's not necessarily the website we would want to be the default. In any case, I don't know why the system is going to example1.com as opposed to example2.com or any of our other sites.
The desired behaviour would be for there to just be a general error, "this domain does not exist" or something like that. If there has to be a default website, we'd like to be able to choose it.
I've seen questions on Stack Oveflow that are similar, but they all presume one wants to set a default. When I look at the configuration files they reference, for example /etc/httpd/conf/httpd.conf, they are empty, so in my case, there is nothing to unset.
How do I stop browsers from being redirected to the website that they are currently being directed to? How can I set it so that Apache just returns a "site not found" error instead of serving up a website?
The easiest way to fix this is name your .conf files starting with a number.
If you look at the default apache configs, you'll notice a file called "000-default.conf". Apache will load the files in number order - so just make your default virtual host .conf file be 000-whatever.conf.
I suppose you're using name based virtual hosts and the <VirtualHost> directive and this is what docs have to say:
If no matching name-based virtual host is found, then the first listed virtual host that matched the IP address will be used. As a consequence, the first listed virtual host for a given IP address and port combination is the default virtual host for that IP and port combination.
So when you say:
I've seen questions on Stack Oveflow that are similar, but they all
presume one wants to set a default.
... all I can add is that that's the way Apache works. I don't think it's inherently wrong to have a default host that serves a this domain does not exist page. I always do so in my Windows development box, typically by commenting out the default hosts at conf/extra/httpd-vhosts.conf file and adding my default host there.
If you ask for my opinion, it's rather questionable that Apache basically serves an arbitrary site when there's no match, thus making this customisation mandatory—and I've seen lots of live sites that don't do it.
I am currently building an application that I will host and will have multi-tenants (SaaS) called over the web, I would like them to be able to have subdomain.theircompany.com be able to point to subdomain.mycompany.com (or if they wish, point a full TLD to a subdomain with me).
The way I have been expecting this to work is to simply have a wildcard 'ServerAlias *.mycompany.com' in my Apache config pointing to my application, which then extracts the host being called...They then redirect via a CNAME entry on their host.
My question is, would this approach allow external subdomains to be pointed to a CNAME URL instead of IP? As this runs on one account on my system, am I able to install an SSL for a single wildcard if that customers wants to be running on SSL?
Any other suggestions/approaches would be greatly appreciated!
Thanks
A CNAME will work for the purposes of naming, but not for the purposes of a wildcard SSL cert.
Specifically, example.theircompany.com can have a CNAME record with a value of example.yourcompany.com. This will mean that example.theircompany.com will transparently resolve to your site. In other words, a browser still sees example.theircompany.com, not example.yourcompany.com.
As such, the SSL cert must be for the theircompany.com domain, not the yourcompany.com domain.
I am running LAMP config on CentOS 5.6
Now, the question is how do I add a domain name to the server? I have already pointed the domain name to the server.
I think the next steps would be something like this.
Create a user on centos
Create a folder for the domain name within that users directory
Create a virtual host on apache pointing the directory to the users directory
Add content to the directory of the domain name specified in the virtual host
Voila! A new domain name created.
Am I missing something from the list? Also, any other methods to do this or just use ssh?
To change domain name, there are a couple config files you need to work with, with root permission. Make sure you backup all original files before making any changes:
"/etc/sysconfig/network" which you should replace the default hostname by your FQDN(Fully Qualified Domain Name), something like this: myHostName.myDomainName.
"/etc/hosts" which you should add your IP address(es) with corresponding hostname and FQDN, separate by whitespace, something like this: 192.168.1.1 myHostName myHostName.myDomainName
"/etc/sysconfig/network-scripts/ifcfg-eth0" which is a config file for your ethernet interface 0, replace default IP address, network, network mask, gateway, etc. to a proper value. And if your server has more than one interface, you should config all of them. They are in the same directory with the above file I mentioned. Look at the name and you should know which one to amend.
Finally, restart your server.
I recommend this book which I am using as a quick reference. For those steps you mentioned, it depends what you want to achieve. But I suggest you open a new thread for them.
You create a user, then you create a domain directory and put your files in there, then you add a virtual domain to apache and restart apache and that should be it.
Obviously dont forget to setup your dns or ask your hosting to set it up for you.
We noticed that a hacker created a domain and configured DNS to point it to our server's IP address.
We are using apache2.x on Ubuntu.
There is a "default" file in apache's /etc/apache2/sites-available directory and it looks like the the hacker's domain is using "default" apache configuration file to display our web content in their domain.
How can we prevent this?
Can some one post a "default" apache configuration file as an example?
Unknown domains that come into apache over the specified ip and port will be directed to the first virtual host, thus the 000-default file. Your best bet is to make the 000-default host return a 400 or 500 error (or some explicit message saying the domain doesn't belong) and use explicit virtualhosts for each of your sites.
+1 Jeremy's answer: make the default (first) virtual host for each IP address you're listening on return something useless like a 404 or page saying nothing but “this is a virtual server”.
Allowing your web server to serve a real web site on a non-matching ‘Host’-name (including a raw IP address) opens you up to two particular attacks:
DNS rebinding attacks, leading to cross-site scripting into your real web site.
This affects sites with a user access element (eg. logging in, cookies, supposedly-private intranet apps).
‘Search-hijacking’. This affects all sites (even completely static ones). This may be what is happening to you. By pointing their own domain name at your server, they can make search engines see both the real domain name and their fake one as duplicates for the same site. By using SEO techniques they can then try to make their fake address seem like the more popular, at which point the search engines see that as the canonical address for the site, and will start linking to it exclusively instead of yours.
Most web servers are configured by default to serve a web site to all-comers, regardless of what hostname or IP address they're accessing it through. This is a dangerous mistake. For all real live sites, configure it to require that the ‘Host’ header matches your real canonical hostname.