About Archive Tags RSS Feed

 

Some things get moved, some things get doubled in size.

11 April 2015 21:50

Relocation

We're about three months away from relocating from Edinburgh to Newcastle and some of the immediate panic has worn off.

We've sold our sofa, our spare sofa, etc, etc. We've bought a used dining-table, chairs, and a small sofa, etc. We need to populate the second-bedroom as an actual bedroom, do some painting, & etc, but things are slowly getting done.

I've registered myself as a landlord with the city council, so that I can rent the flat out without getting into trouble, and I'm in the process of discussing the income possibilities with a couple of agencies.

We're still unsure of precisely which hospital, from the many choices, in Newcastle my wife will be stationed at. That's frustrating because she could be in the city proper, or outside it. So we need to know before we can find a place to rent there.

Anyway moving? It'll be annoying, but we're making progress. Plus, how hard can it be?

VLAN Expansion

I previously had a /28 assigned for my own use, now I've doubled that to a /27 which gives me the ability to create more virtual machines and run some SSL on some websites.

Using SNI I've actually got the ability to run SSL almost all sites. So I configured myself as a CA and generated a bunch of certificates for myself. (Annoyingly few tutorials on running a CA mentioned SNI so it took a few attempts to get the SAN working. But once I got the hang of it it was simple enough.)

So if you have my certificate authority file installed you can browse many, many of my interesting websites over SSL.

SSL

I run a number of servers behind a reverse-proxy. At the moment the back-end is lighttpd. Now that I have SSL setup the incoming requests hit the proxy, get routed to lighttpd and all is well. Mostly.

However redirections break. A request for:

  • https://lumail.org/docs

Gets rewritten to:

  • http://lumail.org/docs/

That is because lighttpd generates the redirection and it only sees the HTTP connection. It seems there is mod_extforward which should allow the server to be aware of the SSL - but it doesn't do so in a useful fashion.

So right now most of my sites are SSL-enabled, but sometimes they'll flip to naked and unprotected. Annoying.

I don't yet have a solution..

Tags: ca, edinburgh, moving, newcastle, relocation, ssl | 5 comments

 

Comments on this entry

icon Steve Kemp at 15:23 on 11 April 2015
http://steve.org.uk/.

It looks like this is fixed with a newer lighttpd.

Compiling lighttpd 1.4.35 it works with no special changes - as curl shows me:

$ curl https://lumail.org/docs
..
..
Location: https://lumail.org/docs/
..

So for the moment I'll ignore the problem, and upgrade that host to Jessie very soon :)

icon Steve Kemp at 15:09 on 11 April 2015
http://steve.org.uk/

At the moment the proxy does the SSL termination, which is kinda the reason why I'm in this situation at the moment. So the lighttpd instance is only listening on one-port.

If I did allow lighttped to listen on two ports, then that might provide a way out, but it feels like it shouldn't be required.

The page you link to does seem to have the right solution, the first one:

$HTTP["scheme"] == "https" {
    # capture vhost name with regex conditiona -> %0 in redirect pattern
    # must be the most inner block to the redirect rule
    $HTTP["host"] =~ ".*" {
        url.redirect = (".*" => "https://%0$0")
    }
}

That should work - but because lighttpd believes the connection is "http" not "https" it never matches. Even with the X-Forwarded-Proto header in-play.

The alternative solution of rewriting based on location just can't scale. I can't control whether people hit "example.com/docs" vs. "example.com/docs/".

What I really want is to update the proto, based on X-Forwarded-Proto, but that doesn't seem to work as I expect. I see that the code in lighttpd has changed, so I might have to try backporting from jessie to wheezy and seeing if that fixes the problem.

icon anon at 14:59 on 11 April 2015

Did you try using a different port for https behind your proxy?

Would this then be possible (adapted from http://redmine.lighttpd.net/projects/lighttpd/wiki/HowToRedirectHttpToHttps?)

$HTTP["port"] == sslport { $HTTP["host"] == "sth.example.com" { url.redirect = ("^/phpmyadmin/.*" => https://sth.example.com$0") } }

icon Steve Kemp at 14:07 on 11 April 2015
http://steve.org.uk/

Yes, I set:

X-Forwarded-Proto "https"

But lighttpd seems to ignore that. At the moment I'm being liberal and using:

extforward.headers = ("X-Forwarded-For")
extforward.forwarder = ("all" => "trust")
icon Peter at 14:00 on 11 April 2015

Does your proxy support the X-Forwarded-Proto header?

 

Created by ephemeris.

© Steve Kemp