Wildcard SSL Certificate registration with multi-level subdomains - ssl

My client owns "domain.com". We need to give various applications friendly names for internal and external access. The applications are WCF web services and MVC web applications with varying levels of authentication (Windows auth within and across AD domains and plain text authentication). It looks a little like this:
UAT Environment
service1.uat.services.domain.com
service2.uat.services.domain.com
service3.uat.services.domain.com
service4.uat.services.domain.com
application1.uat.apps.domain.com
application2.uat.apps.domain.com
Production Environment
service1.services.domain.com
service2.services.domain.com
service3.services.domain.com
service4.services.domain.com
application1.apps.domain.com
application2.apps.domain.com
We're likely to have a LOT more sub domains, and everything needs to be secured with SSL.
We've changed our minds on how to configure this a number of times, but now we've hit a possible restriction. We thought a wildcard SSL certificate might work, but apparently they only work to a single level of subdomain i.e. *.services.domain.com.
Because of budget, we'd like to register a single wildcard SSL certificate and apply it to multiple servers (belonging to multiple AD Domains, and also a few servers in our DMZ).
This morning I had an idea, but I don't know enough about this stuff to make a definite decision. Do any of you foresee any restrictions on using the following naming convention instead of the above?
service1-uat-services.domain.com
service2-uat-services.domain.com
service3-uat-services.domain.com
service4-uat-services.domain.com
application1-uat-apps.domain.com
application2-uat-apps.domain.com
service1-services.domain.com
service2-services.domain.com
service3-services.domain.com
service4-services.domain.com
application1-apps.domain.com
application2-apps.domain.com
That way, we can register a wildcard for *.domain.com and use a single level subdomain for each application / service, but still allow us to keep everything logically separate. Are there any technical issues anyone can identify using this set up?

There shouldn't be any problem with that.

Related

Cannot use wildcard subdomains with Convox Gen3?

We run a cloud platform with subdomains for each customer (similar to how Shopify has mystore.myshopify.com).
It currently runs as a Gen1 app, and will likely need to be upgraded soon.
According to the docs however, it's not possible to use wildcard subdomains due to an issue with Let's Encrypt?
https://docs.convox.com/deployment/custom-domains
Does this make Convox a non-option for us moving forward?
We also offer customers the ability to use a custom domain (also similar to Shopify) but would this mean we would need to configure each domain with Convox on the convox.yml level, and have the customer sent a Let's Encrypt validation email?
LetsEncrypt doesn’t use validation emails. As long as the DNS resolves to the Rack router, LetsEncrypt will issue the cert.
So while you would have to specify each sub-domain in their convox.yml, the email thing isn’t an issue. You can specify the domains through the use of an env var which they can update rather than actually changing the file each time.
You could also use Gen2 which has ongoing support and development. Gen2 and Gen3 are just different pathways to achieve relatively the same thing. https://docsv2.convox.com/gen1/ssl

Service mapping for keytabs

Say I have a HTTP server that has instances running on machines virt01 through virt09 which have CNAMEs svc01 through svc09. I want to add Kerberos auth to it.
Assume:
I'm on AD domain example.com
My host DNS entries are host#example.com
My Kerberos realm is EXAMPLE.COM,
From answers such as this one, I figured that the keytab has to contain entries such as:
HTTP/virt01.example.com#EXAMPLE.COM
...
HTTP/virt09.example.com#EXAMPLE.COM
HTTP/svc01.example.com#EXAMPLE.COM
...
HTTP/svc09.example.com#EXAMPLE.COM
in order for browsers and other clients (such as other non-interactive services) to be able to authenticate against the servers. Is the above correct?
If it is, a follow up question is - is there a way to make a "service alias" so to speak, so I can put just one entry in keytab:
HTTP/svc-alias.example.com#EXAMPLE.COM
somehow? This in order to be able to move the service to other hosts for example and not have to regen the keytab with a new host and CNAME added. Especially important for local testing. E.g. if this is tested on workstation583, a new keytab entry for that workstation would have to be made, which is really inconvenient.
If not possible, what is the easiest way to manage adding / removing hostnames? How is this done in practice with multi-server deployments to make it manageable?
Any resources answering any of the above are appreciated as well.

Primary SSL re-routing HTTP add-on

As a complete newbie, I've been skulking through this site for about the past twelve months to find solutions to errors. The following issue has driven me to distraction to such a degree that I decided to join the fun and see if anyone can help.
I have a main site which has an essential SSL certificate. I recently created another site as an add-on domain to the main hosting. However, this means the add-on tries to run as https, causing a security error and blocking most of the html and css document. I'd be very grateful if anyone could offer advice on how to work around this.
The certificates are valid only for the domain specificed in the CN.
However you are not only one with this requirement, so what you can do:
use a wildcard certificate - the wildcard certificates are usually more expensive, but they cover all subdomain on that level (*.domain.com covers www.domain.com, mail.domain.com, ... but not domain.com itself)
use Subject Alternative Name - it is an explicit list of domiains covered by the certificate

Strange domains in mod_pagespeed cache folder

About a year ago I have installed mod_pagespeed on my VPS server, set it up and left it running. Recently I was exploring files on my server, went to pagespeed cache folder and discovered some strange folders.
All folders usually named this way ,2Fwww.mydomain.com or ,2F111.111.111.111 for IP addresses. I was surprised to see some domains that does not belong to me, like:
24x7-allrequestsallowed.com
allrequestsallowed.com
m.odnoklassniki.ru
www.fbi.gov
www.securitylab.ru
It looks like something dodgy is going on, was my server compromised, is there any reasonable explanation?
That does look peculiar. Everything in the cache folder should be files that mod_pagespeed tried to rewrite. There are two ways that I know of that this can happen:
1) You reference some third-party resource (say an image from another domain, or google analytics script) and you have explicitly enabled rewriting of that domain with ModPagespeedDomain www.example.com or ModPagespeedDomain *.
2) If your server accepts HTTP requests with invalid Host headers. Try (for example) wget --header="Host: www.fbi.gov" www.yourdomain.com/foo/bar.html. If your server accepts requests like that it may be providing mod_pagespeed with an incorrect base domain, and then subresources would be fetched from the same domain (so if www.yourdomain.com/foo/bar.html references some.jpeg, and your server accepts invalid host headers, we could fetch www.fbi.gov/foo/some.jpeg as the resource). There was a recent security release that makes sure all of these subrequests are done against localhost (not arbitrary third-party websites). Please see: https://developers.google.com/speed/docs/mod_pagespeed/CVE-2012-4001
You might want to look through these folders and see what specific resources are in there. I think that the biggest concern you should have is that someone might be trying to perform an XSS attack on your users or maybe a DDoS attack against another website (like www.fbi.gov), using your server as one vector. I do not think that these folders are indicative that your server itself is compromised.
If you would like to discuss this more, https://groups.google.com/forum/?fromgroups#!forum/mod-pagespeed-discuss is a good list to join and email.

CPanel: How to use two different domains in one hosting account, keeping url?

Right now there's two different accounts, with both domains having each their own hosting account,
for similar website (let's say domain.fr and domain.co.uk)!
I've merged the two websites into one (currently hosted as 0.0.0.0/site/language ),
making it multilanguage! The script just need a prefix on root,
such as like www.domain.com/english/ or www.domain.com/french.
This works as expected, if only a domain is used, but I would like to use two different domains (domain.fr / domain.co.uk).
So, I want to catch the current request URL, to know what language to display. What's important is that, the request urls keep persistent.
For example,
http://domain.co.uk/language_english
http://domain.co.uk/language_english/somepage.php
http://domain.co.uk/language_english/somedirectory/someotherpage.php
While,
http://domain.fr/language_french
http://domain.fr/language_french/somepage.php
http://domain.fr/language_french/somedirectory/someotherpage.php
This two domains are actuall hosted in same hosting account, let's said
127.0.0.1/language_variable/somepage.php
Any suggestions or good practices?
If I got your question , It's a feature in Web Hosting's solution which is called Addon Domains and depend on hosting company that how many Addon Domain they let you to put into one account !