squid /etc/hosts - dns

I have a LAN X.X.X.X/24 and a gateway on which we were told to run Squid.
In the same LAN we have the commercial department and software developers.
We have a production version of our website on public IP Y.Y.Y.Y
and a development version on a different private LAN Z.Z.Z.Z/24
Developers in X.X.X.X/24 need to do HTTP requests to the two different versions of our website.
They used to do it changing /etc/hosts accordingly.
Now we have transparent squid in the middle that resolves DNS before HTTP-requesting, so all requests end up in the public, production version of our website.
I do not know how squid internals that allow transparent proxying work, but is there a workaround that allows only developers' machines to control locally on their machines where their requests will go?
Something like "do not DNS-query if for these, say X.X.X.X/29, machines"?
Thanks

Squid as a tansparent proxy does not see the IP address of the target server - it only sees the host name and then uses DNS for address resolution itself.
But there must be a "transparent proxy" rule somewhere on your router / Internet gateway for the transparent proxy to work. You need to change it to: "Do not use transparent proxy if target IP is Z.Z.Z.Z/24" - so your development servers will be accessed directly without proxy. This way you can still use your /etc/hosts trick.

Related

Hosting a web site in IIS accessible from any web client?

Trying to host a web site on my local Win 10 Pro machine withing IIS, provided I share the IP to my friends. My host file contains something like:
127.0.0.1 site1.com
127.0.0.2 site2.com
127.0.0.3 site3.com
127.0.0.1:1 site4.com
127.0.0.1:2 site4.com
123.45.5.6 site5.com
123.45.5.6:33 site5.com
They all work as expected except for the imaginary external ip (only for example), and adding the port or not makes not difference. Seems i've tried what makes sense, say my external is '1.2" Creating a host entry like
1.2 # or
1.2:Port # the external IP with port
Also attempted adding an exclusion for he firewall to help ensure the traffic is allowed by doing:
netsh advfirewall firewall add rule name="Open Port" dir=in action=allow protocol=TCP localport=81
Kind of lost what might be missing, any suggestions?
Thanks for he help.
First. There is no need to add port after IP address in hosts file. Port can be configured on IIS by setting binding.
Second. If you want to allow any web client can access the site host on local WIN10 pro, you need to make sure WIN10 pro and web client are in the same LAN. Otherwise it is need to buy a public domain and bind to WIN10 pro device.
Using Ping command is a great way to test traffic between devices. It can help you make sure if web client can create connection with WIN10 pro.

Deployed small footprint tanzu application service(tas) in Azure,without no domains.Can i access the ccapi and apps manager with the IP?

Could deploy Bosh and small footprint tanzu application service(tas) in Azure, without using the domains.All Vms are running.Can i access the ccapi and apps manager with the IP address instead of the api.SYSTEMDOMAIN?
The short answer is no. You really, really want to have DNS set up properly.
Here's the long answer that is more nuanced.
All requests to your foundation go through the Gorouter. Gorouter will take the incoming request, look at the Host header and use that to determine where to send the request. This happens the same for system services like CAPI and UAA as it does for apps you deploy to the foundation.
DNS is a requirement because of the Host header. A browser trying to access CAPI or an application on your foundation is going to set the Host header based on the DNS entry you type into your browser's address bar. The cf CLI is going to do the same thing.
There are some ways to work around this:
If you are strictly using a client like curl where you can set the Host header to arbitrary values. In that way, you could set the host header to api.system_domain and at the same time connect to the IP address of your foundation. That's not a very elegant way to use CF though.
You can manually set entries in your /etc/hosts` (or similar on Windows). This is basically a way to override DNS resolution and supply your own custom IP.
You would need to do this for uaa.system_domain, login.system_domain, api.system_domain and any host names you want to use for apps deployed to your foundation, like my-super-cool-app.apps_domain. These should all point to the IP of the load balancer that's in front of your pool of Gorouters.
If you add enough entries into /etc/hosts you can make the cf CLI work. I have done this on occasion to bypass the load balancer layer for troubleshooting purposes.
Where this won't work is on systems where you can't edit /etc/hosts, like customers or external users of software running on your foundation or if you're trying to deploy apps on your foundation that talk to each other using routes on CF (because you can't edit /etc/hosts in the container). Like if you have app-a.apps_domain and app-b.apps_domain and app-a needs to talk to app-b. That won't work because you have no DNS resolution for apps_domain.
You can probably make app-to-app communication work if you are able to use container-to-container networking and the apps.internal domain though. The resolution for that domain is provided by Bosh DNS. You have to be aware of this difference though when deploying your apps and map routes on the apps.internal domain, as well as setting network policy to allow traffic to flow between the two.
Anyway, there might be other hiccups. This is just off the top of my head. You can see it's a lot better if you can set up DNS.
The most easy way to achieve a portable solution is a service like xip.io that will work out of the box. I have setup and run a lot of PoCs that way, when wildcard DNS was something that enterprise IT was still oblivious about.
It works like this (excerpt from their site):
What is xip.io?
xip.io is a magic domain name that provides wildcard DNS
for any IP address. Say your LAN IP address is 10.0.0.1.
Using xip.io,
10.0.0.1.xip.io resolves to 10.0.0.1
www.10.0.0.1.xip.io resolves to 10.0.0.1
mysite.10.0.0.1.xip.io resolves to 10.0.0.1
foo.bar.10.0.0.1.xip.io resolves to 10.0.0.1
...and so on. You can use these domains to access virtual
hosts on your development web server from devices on your
local network, like iPads, iPhones, and other computers.
No configuration required!

Can I access to website using IP address

I recently got to know about DNS (Domain Name System Or Domain Name Server) and how it works. I want to know - can I access to a website by using its IP address and how?
-ThankYou
TL;DR: It depends how the server is configured but probably not and I would not rely on it.
This is because the website you are trying to access is likely behind a reverse proxy or load balancer. The load balancer acts like a railroad switch depending on the hostname you use to connect to it.
For simplicity, imagine that google.com and mail.google.com are on the same server with the same IP: 192.168.1.1.
If you were to try to connect directly to http://192.168.1.1/, how would the web server know which service you wanted? It wouldn't. In fact there are companies who's business is based solely around load balancing other companies' servers.
When you connect to a host with your browser, for example: https://www.google.com, your browser sends a special HOST=www.google.com header behind the scenes. The load balancer processes this header and routes the request to the correct server (which may be on a completely different server, network, etc).
Digital Ocean has a great tutorial on how to configure a basic virtual host for nginx. This demonstrates the basics of what a multi-host configuration might look like.
If you don't want to mess with DNS servers, you could set up a local lab environment on your desktop simply by modifying your hosts file. You can google where your operating systems hosts file is located.
If you have access to cURL, you can test the results like so:
# if you've configured a virtual host for mysite01.local on port 80
curl --verbose --header 'Host: mysite01.local' 'http://127.0.0.1'
# if you've configured a virtual host for mysite02.local on port 80
curl --verbose --header 'Host: mysite02.local' 'http://127.0.0.1'
# depending on your configuration this may return a 404 or point to one of your previous sites
curl --verbose 'http://127.0.0.1'
Yes, you can access any domain using IP address. Domain is just a name of website, IP address is the address of the page/website.
You can always ping website using command prompt:
ping www.google.com
You get one ip address which in this case is 216.58.197.78. Now when you hit the ip address in browser you will be redirected to google.com.
You can think of DNS (Domain Name System) as a table which provides mapping between IP address(216.58.197.78) and domain name(www.google.com)

Only one hostname (Like host.com) on a couchdb instalation access

I have a recent installation of CouchDB in my Debian VPS, all works fine, but can be accessed via IP, and via all of the domains in my server, and I want only one domain for this, for example, host.com:5984/_utils/index.html but not accessible in anotherhost.com:5984/_utils/index.html neither IP, How can I do this?
Thanks!
The patch that add such feature for 2.0 will land very soon.
As for now, you'll have to setup frontend proxy line nginx which will accept only requests with the Host header you allow. Certainly, in such case you'll need to serve CouchDB on localhost address to not let it be accessible freely from the world.

How to set domain name for server inside an OpenVPN-based VPN?

I am currently using a very simple OpenVPN setup where I connect from different devices to a OpenVPN server and then access a website that is being hosted by an Apache Server running on the same system. To reach that server, I have to use its IPv4 adress inside the VPN (e.g. 10.1.0.1).
I would like to use a 'real' name like myserver.local. Is there a way to do this without setting up a DNS server? Can the OpenVPN-Client maybe just add an entry to the local hosts-file?
Not without setting up a DNS server, but getting one to work is very easy and can be restricted behind the VPN.
I am using dnsmasq on Ubuntu 14.04 for exactly this purpose. Just install it and add all your hosts to the /etc/hosts-File in the following way:
# Clients on the VPN
10.8.0.1 vpn.lan vpn.lan
10.8.0.8 service1.lan service1
10.8.0.6 service2.lan service2
You can restrict dnsmasq, that it only listens to the tun0-Interface of OpenVPN by adding interface=tun0 to /etc/dnsmasq.conf. You can push the DNS server to your clients by adding push "dhcp-option DNS 10.8.0.1" to your /etc/openvpn/server.conf.
The downside of this solution is, that you have to add every server to /etc/hosts, but for a couple of servers I think it's ok.

Resources