(Edit:) How secure are shared hosting solutions?
We have some sites on shared hosting accounts where smtp is accessed as a subdomain e.g. smtp.domain.co.za - when accessing that address with a browser it provides access to a generic login interface to the domain's mail which is not covered by the inexpensive letsencrypt ssl certificates clients who choose shared hosting in the first place typically opt for, leading to security concerns. (E.g. when a security audit gets done).
I expected it should be possible to restrict access to the subdomain, e.g. only allowing access from scripts running in the main domain (or some other consition) with .htaccess - these are typically microsites where the only SMTP traffic originates from the site at the domain. However, visiting the 'subdomain' in a browser it seems the .htaccess in the main domain does not get called.
So, short of purchasing a more expensive certificate that either covers the subdomain, or a separate certificate for the subdomain - which would negate the little merit of using shared hosting in the first place, is there a way of resolving the problem?
Related
Scenario
We have a multi-tenant SaaS application deployed on a VM hosted with a service provider. We have multiple domains pointing to this VM (let us call them abc.com and xyz.com). Each of our tenant gets a unique sub-domain URL from one of these domains.
In our IIS installation no domains are explicitly defined - as a result, when a request hits the IIS, as no domains are defined, all requests are automatically routed to the default site.
With this arrangement, we are able to serve a any number of sub-domains for each of the primary domains pointing to the VM without having to explicitly create these sub-domains. For example, t1.abc.com, t2.abc.com, t3.xyz.com, t4.xyz.com are all served by our application without having to create these sub-domains in IIS instance.
In our application, when we get the request, by checking the requested URL, we can easily identify the tenant from which the request is coming. All further data access is automatically restricted to the data created by the particular tenant.
Issue
We need to provide secure communication to all our application users through SSL. We can purchase wildcard SSL for each of the domains (viz abc.com, xyz.com). Now the issue is, how do we deploy multiple SSLs on a single website/application defined in IIS?
This will require us to have two separate sites defined in IIS for abc.com and xyz.com. Unfortunately, these will not be "catch-all" sites for the corresponding sub-domains. By default, IIS allows only one "catch-all" site.
From what I understand from some of the posts, we can have multiple "catch-all" site (for separate domains) in IIS, provided each of them is bound to a separate IP address. Though I could not find any document providing the steps for the same. Can someone point me to the document / steps for doing this?
It is not necessary to have 2 separate boxes for abc.com and xyz.com domains. You can request your CA to combine all DNS records into single SSL certificate with all required Subject Alternative Names SAN.
We also ran into this problem before and SAN certificate worked really well with our multi-tenant configuration. I would also recommend to use load balancer like Nginx for SSL offload to serve your client faster and even more secure. In this case you can just point new client to the Load Balancer.
I have one website configured for Windows Server 2012 IIS 8. This one website can be accessed by xyz.com or abc.com (2 different top level domain names). Is it possible to configure SSLs for both?
Yes. You can configure two different domains with two different certificates for the same IP and port no(443). After providing the domain name in Binding, enable check box Require Server Name Identification(IIS8). If you do not enable this check box, two websites will have the same single certificate, if you change one website binding file, it will reflect in other website also.. I have experienced.
Please refer below link.
http://www.orcsweb.com/blog/fred/host-different-ssls-on-one-ip-with-iis-8-sni/
As Windows Azure web site is powered by IIS, you can see from the offerings that it is possible to bind multiple SSL to a single site,
http://azure.microsoft.com/en-us/pricing/details/web-sites/#web-sites
The trick is to use SNI,
http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-server-name-indication-sni-ssl-scalability
Yes you can add multiple https bindings each with their own separate ssl certificate to the same site in IIS. However you'll want to bind them to separate IP addresses so that the certificate for xyz.com is bound using the IP address for xyz.com, and the certificate for abc.com is bound using the IP address for abc.com. But frankly, it'd be better practice to have one redirect to the other, or just make 2 sites in IIS and keep everything separate.
I have been attempting to set up magento on a shared hosting server that doesn't support innoDB, ergo its not been possible. The domain I want to use has also been registered with this rubbish hosting provider. (one[dot]com for anyones reference). So I thought I would be able to point this domain to a different hosting provider that DOES support it, but one[dot]com doesnt allow me to change nameservers for the domain. They just said this:
You can only setup IP address, CNAME and web forwarding in our DNS settings but not change of nameservers
Would there be any way to change any of these settings or the .htaccess file so that, for example
http://www.mydomain.com/folder/page.php?query=string
Would display a page from the other server
http://xxx.xxx.xxx:xx/folder/page.php?query=string
I've created loads of sits doing all sorts but never really needed to other with the domain administration side of things.
You don't need to change name servers to map a domain to a different server. If the "good" provider supports it (i.e. allows you to register a domain on the server that isn't hosted by the company), just switch the A and MX records to the new server's IP address.
You do need the cooperation of the "good" provider for this, though.
If they're letting you set up the IP address, then setting the IP address of www.mydomain.com to xxx.xxx.xxx.xx should do the trick. On the other server, you'll need its webserver to be set up to serve www.mydomain.com as a virtual domain - if you're using a hosting provider they should do this for you; if not it should be fairly easy to set up (consult the manual of whichever web server software you're using).
Can anybody explain why I see another web site at my http secure address. I don't have a certificate. I can manage files from folder httpsdocs but cannot access them from web. Also httpsdocs is empty. https://innovacube.com/
And base of my problem is Google indexes my https domain but I cannot denny Google Bot.
You're sharing IP addresses with another site - you'll see that both www.innovacube.com and www.cokyader.com resolve to 92.199.202.62. HTTP/1.1 allows this because you also send a host header
GET / HTTP/1.1
Host: www.innovacube.com
so the web server knows which site to serve for a given connection.
It isn't, however, possible to do this for HTTPS. The problem is that the certificate negotiation happens before the server gets to HTTP so you can't switch depending on the site that the browser really means. Therefore you can only host one HTTPS site per IP and this IP is hosting cokyader.com. (There are proposed extensions to help fix this but I've never seen any progress on this.)
If you want your own separate HTTPS site then your host will have to allocate you your own separate IP address.
Because you are using shared hosting, and it has been configured with a default SSL site that isn't yours (but presumably belongs to someone who has paid for SSL support and has their site hosted on the same server).
I am creating software that allows users to either have their own custom subdomain (e.g: theirsubdomain.mydomain.com) or point a CNAME from their own domain to my website address (e.g: theirsubdomain.theirdomain.com).
I've contacted my host about this and the first subdomain option is cool. They will set-up a wilcard subdomain script for me...
The CNAME they said I can't do automatically. I will have to manually go into my account and add the domain to point to my website address otherwise apache wont now where to look for the files.
Is this common practice or is there a way around this that is automated?
The issue is the HTTP header. When you request a Web page the browser sends a request that starts out with:
GET /mypage.html HTTP/1.1
Host: www.mysite.com
The Host item allows a single Web server to serve pages for multiple domains. By looking at the Host, the server knows that mypage.html should come from its stored files for mysite.com, and not from the files of myothersite.com which is on the same server.
I am guessing your site is on a shared Web server at your host company, and they use this functionality to differentiate between requests for your site and requests for other sites that sit on that same virtual box. Some of these virtual hosts, like HostGator, will allow you to specify other domains that should be accepted on this Host line and where the returned documents should come from. This often is a more premium service offered by companies. For example on HostGator they say "The Baby and Business hosting plans allow for unlimited domains to be hosted on just one single account", however the basic Hatchling plan does not allow this.
If you have your own rented machine, with your own installation of Apache, you can manage the processing of this HTTP header information yourself. Apache supports virtual hosts, see the following documentation: http://httpd.apache.org/docs/2.2/vhosts/
So basically, you have to have some way to tell Apache (or whatever server you are using) that the files for a particular Host value corresponds to the same files for your domain, since a single Apache server may be providing files hundreds of different domains. If you are not administering your own Apache server, to where you can set up virtual hosts as shown in the documentation, the hosting service would have to provide some custom way to get this information to Apache.