I have multiple ssl certificates for multiple pages. I want to run all pages on the same server on the same port, so I need to create one single https server and then proxy the request based on the hostname to the sites.
The problem here is, that I can't find out, how i can use multiple ssl certificates and ever the right certificate is used.
Is this even possible?
Combining the certificates to a wildcard one is not possible by the way, since I use different top level domains for the sites. For example:
www.a.xx
www.a.yy
www.b.xx
www.b.yy
c.xx
c.yy
You can only do it for browsers (and in your case the proxy) supporting Server Name Indication. Not all browsers are supported though, so if you want it completely "generic", you need to use separate IPs for the different sites.
(Granted, most modern browsers support it, so it depends on your "support matrix" for the sites)
Related
Is it possible to use the same nodeJS server for two/three different domains (aliases)? (I don't want to redirect my users. I want them to see the exact URL they typed in the address bar. However, all three domains are exactly the same!)
I want my users to be logged in on all three domains at the same time, in order to avoid any confusion.
What is the simplest way to do this and avoid cross-domain issues?
Thanks!
If you mean that all domains will serve the same nodejs app then Yes you can do that.
but if each domain should open a different application then you must have a reverse proxy running on the server to handle and manage the sites/vhosts.
You may install nginx and use it as reverse proxy server or look for http-proxy a library for nodejs.
If you would like to manage the vhosts in your app you can look for vhost middleware for nodejs and use it
Choose one of:
Use some other server (like nginx) as a reverse proxy.
Use node-http-proxy as a reverse proxy.
Use the vhost middleware if each domain can be served from the same Connect/Express codebase and node.js instance.
This is a very broad question. Moreover, it is generally a pretty bad idea, SEO-wise, to have multiple independent domains that each serve the same content.
Logging in is generally either done through Cookies, or through extra parameters in the URL. Cookies are always domain-specific, for obvious security reasons. If you want to ensure folks will be logged in to all the domains at once, you can create an internal purpose-driven domain to handle authentication (without such domain showing in URL bar, and only being used for HTTP redirects, effectively); such domain will store the login state for all the rest, and the rest would pick up the login state through such purpose-driven domain (through HTTP redirects).
In general, however, this sounds like too much trouble. Consider that, perhaps, some users specifically want to use different domains for different accounts, so, you'll effectively break their usage if you mandate that a single login be used for all of them. And, back to the original point, doing this is pretty bad for SEO, so, just don't do it.
I am pretty sure that similar questions have been asked before but I didn't manage to find any (maybe I am using the wrong terms).
I have an unsecure web app (built in Laravel). All communication between the frontend and the backend goes through http. Now, I want to switch to https. As far as I know, there are two ways I can do this.
The first is to configure the server (the one that hosts the app) to accept only https requests. If I do it this way, the communication between the client and the server will be encrypted and I won't have to change anything in my app (is this correct ?).
The second way is to configure my app to accept only https requests. If I do it this way I will have to make some changes to my application code.
Now I want to ask, are both ways equally secure ? Which way is prefered and why ?
Several things are mixed up here I'm afraid.
You can only turn on SSL on your web server (Apache, Nginx, etc). You need a server certificate, and you have to configure your web server to be able to receive https (ssl) connections. As for how exactly to do that is beyond the scope of this answer, but there are lots of tutorials you can find. You have to do this first.
When your web server is configured to support SSL, you want your web application to only be accessible over HTTPS and not plain HTTP. The purpose is that on the one hand, users who don't know the difference are still safe, and on the other hand that attackers can't downgrade a users connection to insecure plain HTTP.
Now as for how you want to enforce HTTPS for your application, you really do have two choices. You can have your web server handle plain HTTP requests and redirect them to SSL, this is an easy configuration both in Apache and Nginx. Or you can add redirects to your application to handle the scenario when it's accessed over plain HTTP and redirect your user with something like a Location header to HTTPS.
Security-wise, it doesn't really matter whether it's the webserver or the application that makes the redirect, from the client's perspective it's the same (mostly indistinguishable, actually). Choose the option that you like best. There may be for example maintainability reasons to choose one or the other. (Do you want to maintain redirection in your application code, or have your server operations add the redirect headers, etc.)
Note though, that either way, your application may still be vulnerable to an attack called SSL Stripping, and to prevent that you should always send a HSTS response header.
We want to create 'whitelabel' sites by having multiple hostnames pointing to the same IP (and website in IIS) and dynamically switching the site's database according to the hostname the user came in on.
eg. https://co1.mysite.com, co2.mysite.com and co3.mysite.com will all point to the same site, but in the site's code, we may change database connection strings and logos etc depending on what hostname they came in on.
In this particular context (with all sites going to the same IP) am I right in presuming that SNI doesn't come into play and as as long as a wildcard certificate is used (*.mysite.com) then all browsers will be able to access the site OK? Even those with no SNI support (eg Internet Explorer on Windows XP)?
Yes, you are correct. Server will send the same cert for every request (even from SNI-capable clients). Of course you can't host there any other hostnames outside of scope of your wildcard cert, if all of them needs to be accessible from non-SNI clients.
I have a single site in IIS with a blank host header and 50+ unqiue domains that all point to this one site. Is there a catch-all or wildcard SSL available that I can install on the site so it will work with each domain? I know wildcard certs exist but I think they're limited to a single TLD.
I was hoping to install multiple certs on a single site since each domain already has a cert purchased but that isn't going to happen.
I had a look at IIS 7 SSL for multiple sites with a single IP which points to http://www.sslshopper.com/article-ssl-host-headers-in-iis-7.html which says I need a unified communications certificate http://www.sslshopper.com/unified-communications-uc-ssl-certificates.html
Any ideas? Will the unified cert work?
IIS 7.5
Wildcard SSL certs are for a single domain. For your situation you'd have to have a certificate that worked for every domain, which, err, wouldn't be that safe, you could, for example, spoof hotmail.com
However there is an attribute in X509 called Subject Alternative Name (SAN). That allows for a fixed list of domains for which the certificate may be used on, but the list is fixed at issuance time. Your link says it uses that method, but I'm confused why they say they're primarily for UC server, they work fine as plain old HTTPS certificates. I'm using one right now on a development box.
In case you think they're specialised Verisign do them too,as does Entrust
In principle, each server (meaning whatever program on the server side answers to the client's request) can send only one certificate. It also will send a chain of certificates up to the root certificate.
With plain SSL/TLS, the handshake is done before the client has a chance to indicate for which domain it wants a page (this is done in the HTTP header), thus you have no chance here to offer the right certificate.
A common solution is that the server has several IP-addresses (one for each domain, or at least one for each SSL-certificate), and thus can recognize by the IP address, which certificate should be used. (I don't know how IIS handles this, though.)
Assigning new IP-addresses gets more problematic with the increasing scarceness of IPv4 addresses, for this and other reasons RFC 6066 (and its predecessors) defines the server name TSL extension (extension-ID 0), which allows the client to include the wanted server name in the ClientHello message (which starts the handshake), allowing the server to select the right certificate for .
No serious certification agency will give you a wildcard certificate for *.com or similar, since with such a certificate you can pretend to be almost anyone. A certificate can list multiple domain names, but I have no idea if there is an upper limit in the number of those (both for IIS and the usual clients).
my question is related to hypertext protocol.
what is the requirements from my side to be able to use HTTPS instead of HTTP in the areas where a user will enter confident information or when there is a registration process.
Thank you.
You need a certificate (you can buy one, which are usually identified by browsers, or create a self-signed certificate, which will trigger a warning on browsers) and a server able to run HTTPS. HTTPS capable servers allow you to define which pages are served via HTTP and which via HTTPS.
HTTPS IS NOT authentication, by the way, it only encrypts communications to prevent eavesdroppers reading what's being sent between the server and client.
You can use any authentication method over HTTPS, but you need to provide it (be it HTTP Auth or something in your application.)
There isn't much more to say given your ambiguous question.
Primarily, you need to configure your webserver to use https; this in turn requires that you have a server certificate. You can either create your own server certificate, or you can buy one from one of the Certificate Authorities. The latter will cause browsers to trust that your site is genuine (whereas in the case of one that you created yourself, a man-in-the-middle or phishing attack might happen from the viewpoint of the browser).
How to configure your server precisely should be discussed on serverfault.