Domain names

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Domain names

Patrick Larkin-2

Hello -

Hoping Lasso can solve this problem.

We have to domain names:

The REAL one which has an SSL certificate: www.beth.k12.pa.us
The EASY one which does not have an SSL certificate: www.bethsd.org

I don't really acknowledge the second one.  :)  However, people use it and it gives an SSL name mismatch, of course.

So is there a way I can capture people going to the second domain and force the browser to switch or at that point is it too late because the SSL certificate would already have complained?




Patrick Larkin
Developer/Administrator of Special Systems / Webmaster
Bethlehem Area School District




#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

RE: Domain names

Rick Draper-2
Hi Patrick,

This would be more easily addressed in Apache... maybe something like


<VirtualHost 192.168.1.1:80>

        ServerName www.beth.k12.pa.us
        ServerAlias www.bethsd.org

        Redirect permanent / https://www.beth.k12.pa.us/

</VirtualHost>

<VirtualHost 192.168.1.1:443>
        ServerName www.beth.k12.pa.us
        ServerAlias www.bethsd.org

## more config stuff

SSLEngine on

## your cert stuff
                SSLCertificateFile        /etc/pki/tls/certs/www_beth_k12_pa_us.crt
                SSLCertificateKeyFile   /etc/pki/tls/private/www_beth_k12_pa_us.key
                SSLCertificateChainFile /etc/pki/tls/certs/theca.crt

</VirtualHost>


Very best regards,

Rick

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Patrick Larkin
Sent: Friday, 4 January 2013 5:52 AM
To: Lasso Talk
Subject: Domain names


Hello -

Hoping Lasso can solve this problem.

We have to domain names:

The REAL one which has an SSL certificate: www.beth.k12.pa.us The EASY one which does not have an SSL certificate: www.bethsd.org

I don't really acknowledge the second one.  :)  However, people use it and it gives an SSL name mismatch, of course.

So is there a way I can capture people going to the second domain and force the browser to switch or at that point is it too late because the SSL certificate would already have complained?




Patrick Larkin
Developer/Administrator of Special Systems / Webmaster Bethlehem Area School District




#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>



#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Domain names

Trevor Borgmeier
In reply to this post by Patrick Larkin-2
This isn't an SSL solution, but this is what we do in the port 80 vhost
config...

<VirtualHost *>
     DocumentRoot "/Volumes/data/www/sites/www.beth.k12.pa.us"
     ServerName www.beth.k12.pa.us
     ServerAlias www.bethsd.org

     <IfModule mod_rewrite.c>
         # Redirect all traffic to one location
         RewriteEngine On
         RewriteCond %{HTTP_HOST} !=www.beth.k12.pa.us
         RewriteRule (.*) http://www.beth.k12.pa.us$1 [R=301,L,QSA]
     </IfModule>
</VirtualHost>

People won't typically type in the https:// when they go to a site
anyway, so as long as links aren't hard-coded incorrectly anywhere this
should effectively take all non-ssl traffic and redirect it to the
preferred name.  I typically make the preferred name the ServerName
value. you can even change the RewriteRule to use it as such:

RewriteRule (.*) <a href="http://%">http://%{SERVER_NAME}$1 [R=301,L,QSA]

In terms of SSL, the links must be hard-coded somewhere or people are
typing them in directly to get the problem you desscribe.  I'm sure
they, too, could be trapped and redirected via apache, but I've never
tried that.  You could certainly force the redirect by checking the
server_port and host name_name via lasso, if they aren't as expected,
force a redirect.

Here is some code I've had forever for host_name, which falls back to
the server_name if an error occurs...

<?lassoscript

     define_tag('host_name');

         protect;
             handle_error;
                 return(server_name);
             /handle_error;

return(string_findregexp(client_headers,-find='(?:\\s|^)host:\\s+([^\\s]+)',-ignorecase)->get(2));

         /protect;

     /define_tag;

?>

Then you could use this in lasso...

if(server_port == '443' && host_name != 'www.beth.k12.pa.us');
     redirect_url('');
/if;






on 1/3/13 1:52 PM Patrick Larkin wrote:

> Hello -
>
> Hoping Lasso can solve this problem.
>
> We have to domain names:
>
> The REAL one which has an SSL certificate: www.beth.k12.pa.us
> The EASY one which does not have an SSL certificate: www.bethsd.org
>
> I don't really acknowledge the second one.  :)  However, people use it and it gives an SSL name mismatch, of course.
>
> So is there a way I can capture people going to the second domain and force the browser to switch or at that point is it too late because the SSL certificate would already have complained?
>
>
>
>
> Patrick Larkin
> Developer/Administrator of Special Systems / Webmaster
> Bethlehem Area School District
>
>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
>    the mailing list Lasso
> [hidden email]
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
>

ɹǝıǝɯƃɹoq ɹoʌǝɹʇ

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Domain names

Patrick Larkin-2
Thanks.  I was going to move on to Apache if there wasn't some magical Lasso trick.  :)  

As far as my specific setup, there is a single shared IP by both domains.  So both hostnames resolve to the same IP.  That's all done at the DNS level.  

I did the Rewrite and seems bacially functional however Chrome still gives the nasty error:

You attempted to reach www.bethsd.org, but instead you actually reached a server identifying itself aswww.beth.k12.pa.us. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version ofwww.bethsd.org.

Safari gracefully redirects.  

The server is MacOS 10.7 Server and has a funky SSL setup.  It accepts requests on both ports 80 and 443 and always switches the user to 443.  This has led to other issues on top of the two-domain issue.  




Patrick Larkin
Developer/Administrator of Special Systems / Webmaster
Bethlehem Area School District




On Jan 3, 2013, at 3:26 PM, Trevor Borgmeier wrote:

> This isn't an SSL solution, but this is what we do in the port 80 vhost config...
>
> <VirtualHost *>
>    DocumentRoot "/Volumes/data/www/sites/www.beth.k12.pa.us"
>    ServerName www.beth.k12.pa.us
>    ServerAlias www.bethsd.org
>
>    <IfModule mod_rewrite.c>
>        # Redirect all traffic to one location
>        RewriteEngine On
>        RewriteCond %{HTTP_HOST} !=www.beth.k12.pa.us
>        RewriteRule (.*) http://www.beth.k12.pa.us$1 [R=301,L,QSA]
>    </IfModule>
> </VirtualHost>
>
> People won't typically type in the https:// when they go to a site anyway, so as long as links aren't hard-coded incorrectly anywhere this should effectively take all non-ssl traffic and redirect it to the preferred name.  I typically make the preferred name the ServerName value. you can even change the RewriteRule to use it as such:
>
> RewriteRule (.*) <a href="http://%">http://%{SERVER_NAME}$1 [R=301,L,QSA]
>
> In terms of SSL, the links must be hard-coded somewhere or people are typing them in directly to get the problem you desscribe.  I'm sure they, too, could be trapped and redirected via apache, but I've never tried that.  You could certainly force the redirect by checking the server_port and host name_name via lasso, if they aren't as expected, force a redirect.
>
> Here is some code I've had forever for host_name, which falls back to the server_name if an error occurs...
>
> <?lassoscript
>
>    define_tag('host_name');
>
>        protect;
>            handle_error;
>                return(server_name);
>            /handle_error;
>
> return(string_findregexp(client_headers,-find='(?:\\s|^)host:\\s+([^\\s]+)',-ignorecase)->get(2));
>
>        /protect;
>
>    /define_tag;
>
> ?>
>
> Then you could use this in lasso...
>
> if(server_port == '443' && host_name != 'www.beth.k12.pa.us');
>    redirect_url('');
> /if;
>
>
>
>
>
>
> on 1/3/13 1:52 PM Patrick Larkin wrote:
>> Hello -
>>
>> Hoping Lasso can solve this problem.
>>
>> We have to domain names:
>>
>> The REAL one which has an SSL certificate: www.beth.k12.pa.us
>> The EASY one which does not have an SSL certificate: www.bethsd.org
>>
>> I don't really acknowledge the second one.  :)  However, people use it and it gives an SSL name mismatch, of course.
>>
>> So is there a way I can capture people going to the second domain and force the browser to switch or at that point is it too late because the SSL certificate would already have complained?
>>
>>
>>
>>
>> Patrick Larkin
>> Developer/Administrator of Special Systems / Webmaster
>> Bethlehem Area School District
>>
>>
>>
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>>   the mailing list Lasso
>> [hidden email]
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>>
>
> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list Lasso
> [hidden email]
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Domain names

Bil Corry-3
You won't be able to avoid the cert mismatch error except to use a valid SSL cert for that domain.

If the redirect is a 301permanent redirect, perhaps Chrome won't attempt subsequent requests to the problem domain but instead will just use your preferred domain, avoiding the error.

- Bil

On Jan 3, 2013, at 9:52 PM, Patrick Larkin <[hidden email]> wrote:

> Thanks.  I was going to move on to Apache if there wasn't some magical Lasso trick.  :)  
>
> As far as my specific setup, there is a single shared IP by both domains.  So both hostnames resolve to the same IP.  That's all done at the DNS level.  
>
> I did the Rewrite and seems bacially functional however Chrome still gives the nasty error:
>
> You attempted to reach www.bethsd.org, but instead you actually reached a server identifying itself aswww.beth.k12.pa.us. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version ofwww.bethsd.org.
>
> Safari gracefully redirects.  
>
> The server is MacOS 10.7 Server and has a funky SSL setup.  It accepts requests on both ports 80 and 443 and always switches the user to 443.  This has led to other issues on top of the two-domain issue.  
>
>
>
>
> Patrick Larkin
> Developer/Administrator of Special Systems / Webmaster
> Bethlehem Area School District
>
>
>
>
> On Jan 3, 2013, at 3:26 PM, Trevor Borgmeier wrote:
>
>> This isn't an SSL solution, but this is what we do in the port 80 vhost config...
>>
>> <VirtualHost *>
>>   DocumentRoot "/Volumes/data/www/sites/www.beth.k12.pa.us"
>>   ServerName www.beth.k12.pa.us
>>   ServerAlias www.bethsd.org
>>
>>   <IfModule mod_rewrite.c>
>>       # Redirect all traffic to one location
>>       RewriteEngine On
>>       RewriteCond %{HTTP_HOST} !=www.beth.k12.pa.us
>>       RewriteRule (.*) http://www.beth.k12.pa.us$1 [R=301,L,QSA]
>>   </IfModule>
>> </VirtualHost>
>>
>> People won't typically type in the https:// when they go to a site anyway, so as long as links aren't hard-coded incorrectly anywhere this should effectively take all non-ssl traffic and redirect it to the preferred name.  I typically make the preferred name the ServerName value. you can even change the RewriteRule to use it as such:
>>
>> RewriteRule (.*) <a href="http://%">http://%{SERVER_NAME}$1 [R=301,L,QSA]
>>
>> In terms of SSL, the links must be hard-coded somewhere or people are typing them in directly to get the problem you desscribe.  I'm sure they, too, could be trapped and redirected via apache, but I've never tried that.  You could certainly force the redirect by checking the server_port and host name_name via lasso, if they aren't as expected, force a redirect.
>>
>> Here is some code I've had forever for host_name, which falls back to the server_name if an error occurs...
>>
>> <?lassoscript
>>
>>   define_tag('host_name');
>>
>>       protect;
>>           handle_error;
>>               return(server_name);
>>           /handle_error;
>>
>> return(string_findregexp(client_headers,-find='(?:\\s|^)host:\\s+([^\\s]+)',-ignorecase)->get(2));
>>
>>       /protect;
>>
>>   /define_tag;
>>
>> ?>
>>
>> Then you could use this in lasso...
>>
>> if(server_port == '443' && host_name != 'www.beth.k12.pa.us');
>>   redirect_url('');
>> /if;
>>
>>
>>
>>
>>
>>
>> on 1/3/13 1:52 PM Patrick Larkin wrote:
>>> Hello -
>>>
>>> Hoping Lasso can solve this problem.
>>>
>>> We have to domain names:
>>>
>>> The REAL one which has an SSL certificate: www.beth.k12.pa.us
>>> The EASY one which does not have an SSL certificate: www.bethsd.org
>>>
>>> I don't really acknowledge the second one.  :)  However, people use it and it gives an SSL name mismatch, of course.
>>>
>>> So is there a way I can capture people going to the second domain and force the browser to switch or at that point is it too late because the SSL certificate would already have complained?
>>>
>>>
>>>
>>>
>>> Patrick Larkin
>>> Developer/Administrator of Special Systems / Webmaster
>>> Bethlehem Area School District
>>>
>>>
>>>
>>>
>>> #############################################################
>>> This message is sent to you because you are subscribed to
>>>  the mailing list Lasso
>>> [hidden email]
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>>>
>>
>> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso
>> [hidden email]
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list Lasso
> [hidden email]
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>