Comments (22)
It looks like you may have a stray colon at the end of your WILDCARD_HOST?
from sandstorm.
It looks like you may have a stray colon at the end of your WILDCARD_HOST?
sorry was old image. it was updated. you mean : i have removed it from correct one is above
from sandstorm.
Okay, and I guess it's worth noting that you need to restart Sandstorm after changing that. I'm assuming you have something else handling SSL termination, since your Sandstorm is using HTTP on port 6080, but I see from above you can access it at an https:// URL.
However, the next thing I'm noticing is that I do not believe your DNS record is correct.
If I try to lookup sstorm.dapm.com, I get an IP address. However, if I try to reach foo.dapm.com, I do not get any IP address from DNS. That suggests you don't have a wildcard entry on your DNS provider.
from sandstorm.
is it mandatory to do this setup?
already *wildcard is added in gandi.net
Don;t know what is missing?
from sandstorm.
You shouldn't need to do that, that's only if you're using Sandstorm's SSL provider, and want Sandstorm to handle Let's Encrypt. It looks like you're using something else.
But if your wildcard was in your Gandi DNS, you should get your IP address back if you try to ping foo.dapm.com or bar.dapm.com or anything.dapm.com.
from sandstorm.
You shouldn't need to do that, that's only if you're using Sandstorm's SSL provider, and want Sandstorm to handle Let's Encrypt. It looks like you're using something else.
But if your wildcard was in your Gandi DNS, you should get your IP address back if you try to ping foo.dapm.com or bar.dapm.com or anything.dapm.com.
Ok understood. let me have a look at DNS Setup and update you. may i know How it should be added as record? at DNS
from sandstorm.
I haven't used Gandi's control panel personally, but usually a wildcard entry should be an A record where the subdomain is *
and points at the same IP address as your sstorm
A record. Basically do the same thing you did for sstorm but for * instead.
https://docs.gandi.net/en/domain_names/faq/record_types/a_record.html
from sandstorm.
I am using butter reverse proxy. is it linked to that?
any thing missing?
from sandstorm.
I'm not familiar with it, but the wildcard DNS record is definitely not working. Regardless of your proxy or Sandstorm setup, if your DNS is set correctly, a DNS lookup for anyrandomsubdomain.dapm.com should return your the IP address of your server, and currently it does not return anything.
from sandstorm.
I'm not familiar with it, but the wildcard DNS record is definitely not working. Regardless of your proxy or Sandstorm setup, if your DNS is set correctly, a DNS lookup for anyrandomsubdomain.dapm.com should return your the IP address of your server, and currently it does not return anything.
I'm not familiar with it, but the wildcard DNS record is definitely not working. Regardless of your proxy or Sandstorm setup, if your DNS is set correctly, a DNS lookup for anyrandomsubdomain.dapm.com should return your the IP address of your server, and currently it does not return anything.
If i want to use a custom domain, i require a domain name with the following DNS records:
Created A Record in Gandi.net:
An A record pointing to your domain (example.com. A your_server_ip).
CNAME:
A wildcard CNAME record redirecting to your Sandstorm IP (*.example.com CNAME example.com.)
Above I haven't created CNAME this could be reason?
from sandstorm.
It could be either an A record or a CNAME, but there has to be one that is * and pointed at your server. Can you maybe screenshot both your sstorm record and your * record in your DNS?
from sandstorm.
It could be either an A record or a CNAME, but there has to be one that is * and pointed at your server. Can you maybe screenshot both your sstorm record and your * record in your DNS?
from sandstorm.
So can you add one for:
* A 300 212.203.99.188
from sandstorm.
It could be either an A record or a CNAME, but there has to be one that is * and pointed at your server. Can you maybe screenshot both your sstorm record and your * record in your DNS?
no impacts to Adding like below DNS?
-
A 300 212.203.99.188
it won;t impact my current other Wild Card Subdomains right?
from sandstorm.
Unless you have a * record already, it should be fine. * does not impact existing records and only is used when a specific record is not found.
However, you should also be able to do something like sstorm-* to ensure all Sandstorm subdomains start with sstorm-. But you'd also need to set that in the WILDCARD_HOST in your sandstorm.conf file as well.
from sandstorm.
Unless you have a * record already, it should be fine. * does not impact existing records and only is used when a specific record is not found.
However, you should also be able to do something like sstorm-* to ensure all Sandstorm subdomains start with sstorm-. But you'd also need to set that in the WILDCARD_HOST in your sandstorm.conf file as well.
Still i am getting this same error. when i use Chrome in Mobile getting another error
When i use chrome or Mozilla, Edge getting this error
from sandstorm.
ocdtrekkie any input?
from sandstorm.
The DNS stuff all looks correct now to me. I think there's a good chance the proxy setup isn't forwarding the wildcard content through, but as I said on the other issue, I don't know enough about proxy configs to tell you how to fix it.
from sandstorm.
I have shared my current configuration. Now you will able to guide me easily.
from sandstorm.
The DNS stuff all looks correct now to me. I think there's a good chance the proxy setup isn't forwarding the wildcard content through, but as I said on the other issue, I don't know enough about proxy configs to tell you how to fix it.
Here this my current proxy ssl.conf
When we also provide SSL we have to listen to the
the HTTPS port in addition.
Listen 443 https
SSL Global Context
All SSL configuration in this context applies both to
the main server and all SSL-enabled virtual hosts.
Pass Phrase Dialog:
Configure the pass phrase gathering process.
The filtering dialog program (`builtin' is a internal
terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
Inter-Process Session Cache:
Configure the SSL Session Cache: First the mechanism
to use and second the expiring timeout (in seconds).
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
Pseudo Random Number Generator (PRNG):
Configure one or more sources to seed the PRNG of the
SSL library. The seed data should be of good random quality.
WARNING! On some platforms /dev/random blocks if not enough entropy
is available. This means you then cannot use the /dev/random device
because it would lead to very long connection times (as long as
it requires to make more entropy available). But usually those
platforms additionally provide a /dev/urandom device which doesn't
block. So, if available, use this one instead. Read the mod_ssl User
Manual for more details.
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
Use "SSLCryptoDevice" to enable any supported hardware
accelerators. Use "openssl engine -v" to list supported
engine names. NOTE: If you enable an accelerator and the
server does not start, consult the error logs and ensure
your accelerator is functioning properly.
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec
SSL Virtual Host Context
General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443
Use separate log files for the SSL virtual host; note that LogLevel
is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSL Engine Switch:
Enable/Disable SSL for this virtual host.
SSLEngine on
SSL Protocol support:
List the enable protocol levels with which clients will be able to
connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2 -SSLv3
SSL Cipher Suite:
List the ciphers that the client is permitted to negotiate.
See the mod_ssl documentation for a complete list.
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
Speed-optimized SSL Cipher configuration:
If speed is your main concern (on busy HTTPS servers e.g.),
you might want to force clients to specific, performance
optimized ciphers. In this case, prepend those ciphers
to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
Caveat: by giving precedence to RC4-SHA and AES128-SHA
(as in the example below), most connections will no longer
have perfect forward secrecy - if the server's key is
compromised, captures of past or future traffic must be
considered compromised, too.
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
#SSLHonorCipherOrder on
Server Certificate:
Point SSLCertificateFile at a PEM encoded certificate. If
the certificate is encrypted, then you will be prompted for a
pass phrase. Note that a kill -HUP will prompt again. A new
certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
Server Private Key:
If the key is not combined with the certificate, use this
directive to point at the key file. Keep in mind that if
you've both a RSA and a DSA private key you can configure
both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
Server Certificate Chain:
Point SSLCertificateChainFile at a file containing the
concatenation of PEM encoded CA certificates which form the
certificate chain for the server certificate. Alternatively
the referenced file can be the same as SSLCertificateFile
when the CA certificates are directly appended to the server
certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
Certificate Authority (CA):
Set the CA certificate verification path where to find CA
certificates for client authentication or alternatively one
huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
Client Authentication (Type):
Client certificate verification type and depth. Types are
none, optional, require and optional_no_ca. Depth is a
number which specifies how deeply to verify the certificate
issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
Access Control:
With SSLRequire you can do per-directory access control based
on arbitrary complex boolean expressions containing server
variable checks and other lookup directives. The syntax is a
mixture between C and Perl. See the mod_ssl documentation
for more details.
#
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
or %{REMOTE_ADDR} =~ m/^192.76.162.[0-9]+$/
#
SSL Engine Options:
Set various options for the SSL engine.
o FakeBasicAuth:
Translate the client X.509 into a Basic Authorisation. This means that
the standard Auth/DBMAuth methods can be used for access control. The
user name is the `one line' version of the client's X.509 certificate.
Note that no password is obtained from the user. Every entry in the user
file needs this password: `xxj31ZMTZzkVA'.
o ExportCertData:
This exports two additional environment variables: SSL_CLIENT_CERT and
SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
server (always existing) and the client (only existing when client
authentication is used). This can be used to import the certificates
into CGI scripts.
o StdEnvVars:
This exports the standard SSL/TLS related `SSL_*' environment variables.
Per default this exportation is switched off for performance reasons,
because the extraction step is an expensive operation and is usually
useless for serving static content. So one usually enables the
exportation for CGI and SSI requests only.
o StrictRequire:
This denies access when "SSLRequireSSL" or "SSLRequire" applied even
under a "Satisfy any" situation, i.e. when it applies access is denied
and no other module can change it.
o OptRenegotiate:
This enables optimized SSL connection renegotiation handling when SSL
directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ ".(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
SSL Protocol Adjustments:
The safe and default but still SSL/TLS standard compliant shutdown
approach is that mod_ssl sends the close notify alert but doesn't wait for
the close notify alert from client. When you need a different shutdown
approach you can use one of the following variables:
o ssl-unclean-shutdown:
This forces an unclean shutdown when the connection is closed, i.e. no
SSL close notify alert is send or allowed to received. This violates
the SSL/TLS standard but is needed for some brain-dead browsers. Use
this when you receive I/O errors because of the standard approach where
mod_ssl sends the close notify alert.
o ssl-accurate-shutdown:
This forces an accurate shutdown when the connection is closed, i.e. a
SSL close notify alert is send and mod_ssl waits for the close notify
alert of the client. This is 100% SSL/TLS standard compliant, but in
practice often causes hanging connections with brain-dead browsers. Use
this only for browsers where you know that their SSL implementation
works correctly.
Notice: Most problems of broken clients are also related to the HTTP
keep-alive facility, so you usually additionally want to disable
keep-alive for those clients, too. Use variable "nokeepalive" for this.
Similarly, one has to force some clients to use HTTP/1.0 to workaround
their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
"force-response-1.0" for this.
BrowserMatch "MSIE [2-5]"
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
Per-Server Logging:
The home of a custom SSL log file. Use this when you want a
compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"
But i don;t under stand how can we import this setting of sample-config/apache-virtualhost.conf as below
https://github.com/sandstorm-io/sandstorm/blob/master/docs/administering/sample-config/apache-virtualhost.conf
Can you high light where are the things to be replaced from existing with sample file?
from sandstorm.
if i import this sample file
Getting this error below
AH00526: Syntax error on line 231 of /etc/httpd/conf.d/ssl.conf:
SSLCertificateFile: file '/path/to/signed_cert_and_intermediate_certs_and_dhparams' does not exist or is empty
from sandstorm.
If you are using your own reverse proxy, you'll need to provide your own wildcard certificates, which is unfortunately well outside of the guidance I can provide. The error is because you'd need to change that line to point at your own certificates that cover the domain in question.
from sandstorm.
Related Issues (20)
- Automatic Grain Backups HOT 1
- Etherpad grains not working after upgrade to 0.304 HOT 7
- Email delivery failure messages no such grain with email not configured HOT 12
- Scheduled Tasks view in Grain Settings appears broken HOT 3
- Installer and docs disagree on which port the incoming mail SMTP service lives on HOT 5
- Can't turn off app updates in App Sources panel HOT 3
- Building Sandstorm in a Debian Bullseye VM fails due to old golang-go version HOT 4
- "App market" shortcut leads to invalid URL HOT 2
- 404 on token setup page HOT 2
- Anything important worth saving at Google Groups? HOT 4
- Perfect Configuration in Nginx for Sandstorm *.Wildcard Setup HOT 3
- docker compose unshare(CLONE_NEWPID) HOT 4
- Lengthy Powerbox requests cannot be read in full
- Failed to renew Let's Encrypt certificate HOT 12
- sandstorm.conf for non-standard TLD? HOT 6
- I used HTTPS-verified install, But open site ,it is blank? HOT 3
- Upgrade Meteor Testapp to Meteor 3.0 (Beta) HOT 7
- Preventing access to client local network? HOT 8
- Sandstorm Grains do not open anymore when logged in, websites CloudFlare error 520 HOT 25
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sandstorm.