From 84d55750dc40747ddcbb6902b3250d37ec9b6bba Mon Sep 17 00:00:00 2001 From: Brian Cunnie Date: Wed, 28 Feb 2018 20:17:51 -0800 Subject: [PATCH] sslip.io web page has new message - Like xip.io, except - allow dashes as well as dots - allow IPv6 - allow branding - allow wildcard TLS We deprecate the old message, which was about using SSL. --- document_root/index.html | 209 +++++++++++++++++++-------------------- document_root/index.md | 96 ++++++++++++++++++ 2 files changed, 198 insertions(+), 107 deletions(-) create mode 100644 document_root/index.md diff --git a/document_root/index.html b/document_root/index.html index 0ba9482..b8f028e 100644 --- a/document_root/index.html +++ b/document_root/index.html @@ -43,8 +43,10 @@ src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"> @@ -52,115 +54,108 @@ src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js">
-

sslip.io

-

-

Turn your red lock into a green lock!

- -
-
-
-
-

-
-
-
-
-
-

What is it?

-

sslip.io is a means for developers to test against - valid SSL certificates without the bother of purchasing - them. Two components make this possible:

-
    -
  1. a special DNS backend that maps crafted hostnames to - IP addresses (e.g. 192-168-0-1.sslip.io resolves - to 192.168.0.1) (similar to xip.io)
    2. -
  2. a wildcard SSL certificate for *.sslip.io and the corresponding - key, both downloadable from GitHub
    3. -
-

Install the certificate and key on the server, modify the - server's configuration to use the certificate and key, - and restart the daemon. After that, browse the server - using the sslip.io hostname via HTTPS (e.g. - https://52-0-56-137.sslip.io) - and receive a valid SSL connection (green lock), all - in a matter of seconds.

-

How do I use it?

-

First, find your server's IP address to determine its sslip.io - hostname -

-

Your server's sslip.io hostname is a mash-up of your server's - IP address and the sslip.io domain. Here are some - examples: -

- - - - - - - - - - - - - - - - - - - - - +

sslip.io

+

Operational Status: ci.nono.io [Status]

+

sslip.io is a DNS (Domain Name System) service that, when queried with a hostname with an embedded IP address, returns that IP Address. It was inspired by and uses much of the code of xip.io, which was created by Sam Stephenson

+

Here are some examples:

+
Server's IP Addresssslip.io Hostname
127.0.0.1127-0-0-1.sslip.io
192.168.1.80192-168-1-80.sslip.io
172.16.0.80172-16-0-80.sslip.io
52.0.56.13752-0-56-137.sslip.io
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
hostnameIP AddressNotes
192.168.0.1.sslip.io192.168.0.1dot separators
192-168-0-1.sslip.io192.168.0.1dash separators
www.192.168.0.1.sslip.io192.168.0.1subdomain
www.192-168-0-1.sslip.io192.168.0.1
www-192-168-0-1.sslip.io192.168.0.1embedded
–1.sslip.io::1IPv6 — always use dashes
2607-f8b0-400a-800–200e.sslip.io2607:f8b0:400a:800::200eIPv6
-
-

Second, download sslip.io's SSL certificate and key from - GitHub -

-

Download the SSL key (sslip.io.key.pem) - and wildcard SSL certificate chain (sslip.io.chained.crt.pem) - from GitHub. You may use curl if you prefer the - command line:

-curl -OL https://raw.githubusercontent.com/cunnie/sslip.io/master/ssl/sslip.io.key.pem
-curl -OL https://raw.githubusercontent.com/cunnie/sslip.io/master/ssl/sslip.io.chained.crt.pem
-

Third, configure the webserver with the SSL certificate - & key

-

Configure the server's configuration file's SSL portion - to use the SSL certificate & key downloaded from - GitHub. Here is a sample from sslip.io's webserver's - nginx.conf (modified for clarity):

-server {
-  listen              443 ssl;
-  ssl_certificate     /etc/ssl/sslip.io.chained.crt.pem;
-  ssl_certificate_key /etc/ssl/sslip.io.key.pem;
-

Here's a similar configuration for Apache 2.4's httpd-ssl.conf:

-Listen 443
-SSLCertificateFile "/etc/ssl/sslip.io.chained.crt.pem"
-SSLCertificateKeyFile "/etc/ssl/sslip.io.key.pem"
-

Finally, restart your webserver and browse to its sslip.io - address via HTTPS

-

Browse to your webserver's sslip.io hostname, e.g. https://52-0-56-137.sslip.io - (assuming that 52.0.56.137 is the IP address of your - webserver, which it isn't because that's the IP address - of our webserver). Admire the beautiful green - lock in your browser's address bar.

-
-

+

BRANDING

+

sslip.io can be used to brand your own site (you don’t need to use the sslip.io domain). For example, say you own the domain “example.com”, and you want your subdomain, “xip.example.com” to have xip.io-style features. To accomplish this, you’d need to set the following four DNS servers as NS records for the subdomain “xip.example.com”

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
hostnameIP addressLocation
ns-aws.nono.io.52.0.56.137USA
ns-gce.nono.io.104.155.144.4USA
ns-azure.nono.io.52.187.42.158Singapore
ns-he.nono.io.78.46.204.247Germany
+

Let’s test it from the command line using dig:

+ 
dig +short 169-254-169-254.xip.example.com @ns-gce.nono.io.
+

Yields, hopefully: [connection timed out]

+ 
169.254.169.254
+

TLS (Transport Layer Security)

+

If you have a wildcard certificate for your sslip.io-style subdomain, you may install it on your machines for TLS-verified connections.

+
+

When using a TLS wildcard certificate in conjunction with your branded sslip.io style subdomain, you must use dashes not dots as separators. For example, if you have the TLS certificate for *.xip.example.com, you could browse to https://https://52-0-56-137.xip.example.com/ but not https://52.0.56.137.xip.example.com/.

-

© 2015 Brian Cunnie, Pivotal Software

+

For a real-world example of a TLS wildcard cert and sslip.io domain, browse https://52-0-56-137.sslip.io.

+

Pivotal employees can download the sslip.io TLS private key here.

+
+

Footnotes

+

[Status] A status of “build failing” rarely means the system is failing. It’s more often an indication that when the servers were last checked (currently every six hours), the CI (continuous integration) server had difficulty reaching one of the four sslip.io nameservers. That’s normal. [connection timed out]

+

[connection timed out]

+

DNS runs over UDP which has no guaranteed delivery, and it’s not uncommon for the packets to get lost in transmission. DNS clients are programmed to seamlessly query a different server when that happens. That’s why DNS, by fiat, requires at least two nameservers (for redundancy). From IETF (Internet Engineering Task Force) RFC (Request for Comment) 1034:

+
+

A given zone will be available from several name servers to insure its availability in spite of host or communication link failure. By administrative fiat, we require every zone to be available on at least two servers, and many zones have more redundancy than that.

+
diff --git a/document_root/index.md b/document_root/index.md new file mode 100644 index 0000000..7bbf1fd --- /dev/null +++ b/document_root/index.md @@ -0,0 +1,96 @@ +### sslip.io + +Operational Status: [![ci.nono.io](https://ci.nono.io/api/v1/pipelines/sslip.io/jobs/check-dns/badge)](https://ci.nono.io/?groups=sslip.io) +[Status] + +_sslip.io_ is a DNS ([Domain Name +System](https://en.wikipedia.org/wiki/Domain_Name_System)) service that, when +queried with a hostname with an embedded IP address, returns that IP Address. +It was inspired by and uses much of the code of [xip.io](http://xip.io), which +was created by [Sam Stephenson](https://github.com/sstephenson) + +Here are some examples: + +| hostname | IP Address | Notes | +| ---------- | ------------ | ------- | +| 192.168.0.1.sslip.io | 192.168.0.1 | dot separators | +| 192-168-0-1.sslip.io | 192.168.0.1 | dash separators | +| www.192.168.0.1.sslip.io | 192.168.0.1 | subdomain | +| www.192-168-0-1.sslip.io | 192.168.0.1 | | +| www-192-168-0-1.sslip.io | 192.168.0.1 | embedded | +| --1.sslip.io | ::1 | IPv6 — always use dashes | +| 2607-f8b0-400a-800--200e.sslip.io | 2607:f8b0:400a:800::200e | IPv6 | + +### BRANDING + +sslip.io can be used to brand your own site (you don't need to use the sslip.io +domain). For example, say you own the domain "example.com", and you want your +subdomain, "xip.example.com" to have xip.io-style features. To accomplish this, +you'd need to set the following four DNS servers as NS records for the +subdomain "xip.example.com" + +| hostname | IP address | Location | +| --------------------- | ------------- | -------- | +| `ns-aws.nono.io.` | 52.0.56.137 | USA | +| `ns-gce.nono.io.` | 104.155.144.4 | USA | +| `ns-azure.nono.io.` | 52.187.42.158 | Singapore | +| `ns-he.nono.io.` | 78.46.204.247 | Germany | + +Let's test it from the command line using `dig`: + +``` +dig +short 169-254-169-254.xip.example.com @ns-gce.nono.io. +``` + +Yields (hopefully +[connection timed out] +): + +``` +169.254.169.254 +``` + +#### TLS (Transport Layer Security) + +If you have a wildcard certificate for your sslip.io-style subdomain, you may +install it on your machines for TLS-verified connections. + + + +For a real-world example of a TLS wildcard cert and sslip.io domain, browse +[https://52-0-56-137.sslip.io]( https://52-0-56-137.sslip.io). + +Pivotal employees can download the sslip.io TLS private key +[here](https://drive.google.com/open?id=0ByweFu4TspftMWJPdE1US0hQTGc). + +--- + +#### Footnotes + +[Status] +A status of "build failing" rarely means the system is failing. It's more +often an indication that when the servers were last checked (currently every +six hours), the CI (continuous integration) +[server](https://ci.nono.io/teams/main/pipelines/sslip.io) had difficulty +reaching one of the four sslip.io nameservers. That's normal. +[connection timed out] + +[connection timed out] + +DNS runs over [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) which +has no guaranteed delivery, and it's not uncommon for the packets to get lost +in transmission. DNS clients are programmed to seamlessly query a different +server when that happens. That's why DNS, by fiat, requires at least two +nameservers (for redundancy). From [IETF (Internet Engineering Task Force) RFC +(Request for Comment) 1034](https://tools.ietf.org/html/rfc1034): + +> A given zone will be available from several name servers to insure its +availability in spite of host or communication link failure. By administrative +fiat, we require every zone to be available on at least two servers, and many +zones have more redundancy than that.