zishuo/nip
1
0
Fork 0
mirror of https://github.com/cunnie/sslip.io.git synced 2025-10-08 00:51:04 +08:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

move name-based virtual hosting to FAQ

Browse Source 
also reformatted due to forgotten paragraph-close
This commit is contained in:
Brian Cunnie
2015-08-30 11:04:00 -07:00
parent 1cdef71845
commit c62a830121
2 changed files with 87 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

128
document_root/faq.html
View File

@@ -84,63 +84,81 @@ other head content must come *after* these tags -->
wildcard SSL certificate, but "www.sf.ca.us.10.9.9.142.sslip.io" wildcard SSL certificate, but "www.sf.ca.us.10.9.9.142.sslip.io"
will not. This is a technical limitation of wildcard will not. This is a technical limitation of wildcard
certs and the manner in which browsers treat them (read certs and the manner in which browsers treat them (read
more <a href="http://security.stackexchange.com/questions/10538/what-certificates-are-needed-for-multi-level-subdomains">here</a>). more <a href="http://security.stackexchange.com/questions/10538/what-certificates-are-needed-for-multi-level-subdomains">here</a>).</p>
This restricts sslip.io's usage model. For example, it <p>This restricts sslip.io's usage model. For example, it
won't work properly with Cloud Foundry's app domain or won't work properly with Cloud Foundry's app domain or
system domain. system domain.</p>
<p class="lead">Can you make the hostnames easier to remember? I'm being <p class="lead">Does sslip.io work with name-based virtual hosting? We
force to memorize IP addresses.</p> have multiple projects but only one webserver.</p>
<p>Unfortunately, no. We appreciate that "52-0-56-137.sslip.io"
is not an easy-to-remember hostname, whereas something <p> sslip.io interoperates quite well with <a href="https://en.wikipedia.org/wiki/Virtual_hosting#Name-based">https://en.wikipedia.org/wiki/Virtual_hosting#Name-based</a>.
along the lines of "aws-server.sslip.io" would be much You can prepend identifying information to the sslip.io
simpler, but we don't see an easy solution&mdash;we hostname without jeopardizing the address resolution, and then use
need to be able to extract the IP address from the those hostnames to distinguish the content being served.
hostname in order for our DNS nameserver to reply with For example, let's assume that your webserver's IP address
the proper address when queried.</p> is 10.9.9.30, and that you have three projects you're
<p class="lead">Do you have support for IPv6-style addresses?</p> working on (Apple, Google, and Facebook). You would use
<p>Not yet, but if there's enough demand for it we might the following three sslip.io hostnames: </p>
try implementing it.</p>
<p class="lead">Why did you choose a 4096-bit key instead of a 2048-bit <ul>
key?</p> <li>apple-10-9-9-30.xip.io</li>
<p>We couldn't help ourselves&mdash;when it comes to keys, <li>facebook-10-9-9-30.xip.io</li>
longer is better. In retrospect there were flaws in <li>google-10-9-9-30.xip.io</li>
our thinking: certain hardware devices, e.g. YubiKeys, </ul>
only support keys of length 2048 bits or less. Also, <p class="lead">Can you make the hostnames easier to remember? I'm being
there was no technical value in making a long key&mdash;it's force to memorize IP addresses.</p>
publicly available on GitHub, so a zero-bit key would <p>Unfortunately, no. We appreciate that "52-0-56-137.sslip.io"
have been equally secure.</p> is not an easy-to-remember hostname, whereas something
<p class="lead">Do I have to use the sslip.io domain? I'd rather have along the lines of "aws-server.sslip.io" would be much
a valid cert for my domain.</p> simpler, but we don't see an easy solution&mdash;we need
<p>If you want valid SSL certificate, and you don't want to be able to extract the IP address from the hostname
to use the sslip.io domain, then you'll need to purchase in order for our DNS nameserver to reply with the proper
a certificate for your domain. We purchased ours from address when queried.</p>
<a href="https://www.cheapsslshop.com">Cheap SSL Shop</a>, <p class="lead">Do you have support for IPv6-style addresses?</p>
but use a vendor with whom you're comfortable. </p> <p>Not yet, but if there's enough demand for it we might try
<p class="lead">What is the sslip.io certificate chain? </p> implementing it.</p>
<p>The sslip.io certificate chain is the series of certificates, <p class="lead">Why did you choose a 4096-bit key instead of a 2048-bit
each signing the next, with a root certificate at the key?
top. It looks like the following:</p> </p>
<div class="col-sm-12"> <p>We couldn't help ourselves&mdash;when it comes to keys,
<img src="img/cert_chain.png" height="206" /> </div> longer is better. In retrospect there were flaws in our
<div class="row"></div> thinking: certain hardware devices, e.g. YubiKeys, only
support keys of length 2048 bits or less. Also, there
was no technical value in making a long key&mdash;it's
publicly available on GitHub, so a zero-bit key would
have been equally secure.</p>
<p class="lead">Do I have to use the sslip.io domain? I'd rather have a
valid cert for my domain.</p>
<p>If you want valid SSL certificate, and you don't want to
use the sslip.io domain, then you'll need to purchase
a certificate for your domain. We purchased ours from
<a href="https://www.cheapsslshop.com">Cheap SSL Shop</a>,
but use a vendor with whom you're comfortable. </p>
<p class="lead">What is the sslip.io certificate chain? </p>
<p>The sslip.io certificate chain is the series of certificates,
each signing the next, with a root certificate at the
top. It looks like the following:</p>
<div class="col-sm-12">
<img src="img/cert_chain.png" height="206" /> </div>
<div class="row"></div>
<p></p>
<p>Note that the "root" certificate is "AddTrust's External
CA Root", which issued a certificate to the "COMODO RSA
Certification Authority", which in turn issued a certificate
to the "COMODO RSA Domain Validation Secure Server CA"
which in turn issued our certificate, "*.sslip.io".
</p>
<p class="lead">How is "sslip.io" pronounced?</p>
<p>ESS-ESS-ELL-EYE-PEE-DOT-EYE-OH</p>
<p class="lead">Where do I report bugs? I think I found one.</p>
<p>Open an issue on <a href="https://github.com/cunnie/sslip.io/issues">GitHub</a>;
we're tracking our issues there.</p>
<p class="lead">There's a typo/mistake on the sslip.io website. </p>
<p>Thanks! We love <a href="https://github.com/cunnie/sslip.io/pulls">pull requests</a>.</p>
<div class="row">
<p></p> <p></p>
<p>Note that the "root" certificate is "AddTrust's External </div>
CA Root", which issued a certificate to the "COMODO <p>&copy; 2015 Brian Cunnie, Pivotal Software </p>
RSA Certification Authority", which in turn issued
a certificate to the "COMODO RSA Domain Validation
Secure Server CA" which in turn issued our certificate,
"*.sslip.io".</p>
<p class="lead">How is "sslip.io" pronounced?</p>
<p>ESS-ESS-ELL-EYE-PEE-DOT-EYE-OH</p>
<p class="lead">Where do I report bugs? I think I found one.</p>
<p>Open an issue on <a href="https://github.com/cunnie/sslip.io/issues">GitHub</a>;
we're tracking our issues there.</p>
<p class="lead">There's a typo/mistake on the sslip.io website. </p>
<p>Thanks! We love <a href="https://github.com/cunnie/sslip.io/pulls">pull requests</a>.</p>
<div class="row">
<p></p>
</div>
<p>&copy; 2015 Brian Cunnie, Pivotal Software </p>
</div> </div>
</div> </div>
<!-- /.container --> <!-- /.container -->

33
document_root/index.html
View File

@@ -75,12 +75,12 @@ src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script> <![endif]-->
<li>a wildcard SSL certificate for *.sslip.io and the corresponding <li>a wildcard SSL certificate for *.sslip.io and the corresponding
key, both downloadable from GitHub</li> key, both downloadable from GitHub</li>
</ol> </ol>
<p>A developer can install the certificate and key on the <p>Install the certificate and key on the
server, modify the server's configuration and restart server, modify the server's configuration to use the certificate and key, and restart
the daemon, at which point anyone can browse the server the daemon. After that, browse the server
using the sslip.io hostname (e.g. <i>52-0-56-137.sslip.io</i>) using the sslip.io hostname via HTTPS (e.g.
via HTTPS and receive a valid SSL connection (green lock). <a href="https://52-0-56-137.sslip.io">https://52-0-56-137.sslip.io</a>)
All in a matter of seconds. </p> and receive a valid SSL connection (green lock), all in a matter of seconds. </p>
<h3>How do I use it? </h3> <h3>How do I use it? </h3>
<p class="lead">First, find your server's IP address to determine its sslip.io <p class="lead">First, find your server's IP address to determine its sslip.io
hostname</p> hostname</p>
@@ -92,29 +92,24 @@ src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script> <![endif]-->
<th>Server's IP Address</th> <th>Server's IP Address</th>
<th>sslip.io Hostname</th> <th>sslip.io Hostname</th>
</tr> </tr>
<tr>
<td>52.0.56.137</td>
<td><a href="https://52-0-56-137.sslip.io/">52-0-56-137.sslip.io</a></td>
</tr>
<tr> <tr>
<td>127.0.0.1</td> <td>127.0.0.1</td>
<td>127-0-0-1.sslip.io</td> <td>127-0-0-1.sslip.io</td>
</tr> </tr>
<tr> <tr>
<td>10.1.1.2</td> <td>192.168.1.80</td>
<td>www-10-1-1-2.sslip.io</td> <td>192-168-1-80.sslip.io</td>
</tr> </tr>
<tr> <tr>
<td>172.16.0.1</td> <td>172.16.0.80</td>
<td>console-172-16-0-1.sslip.io</td> <td>172-16-0-80.sslip.io</td>
</tr>
<tr>
<td>52.0.56.137</td>
<td><a href="https://52-0-56-137.sslip.io/">52-0-56-137.sslip.io</a></td>
</tr> </tr>
</table> </table>
<br /> <br />
<p style="font-style:
italic;">Note that in the last two examples we prepended additional
information to the hostname, i.e. "www-" and "console-",
respectively. This allows sslip.io to work with <a href="https://en.wikipedia.org/wiki/Virtual_hosting#Name-based">name-based
virtual hosting</a>.</p>
<p class="lead">Second, download sslip.io's SSL certificate and key from <p class="lead">Second, download sslip.io's SSL certificate and key from
GitHub</p> GitHub</p>
<p>Download the SSL key (<a href="https://raw.githubusercontent.com/cunnie/sslip.io/master/ssl/sslip.io.key.pem">sslip.io.key.pem</a>) <p>Download the SSL key (<a href="https://raw.githubusercontent.com/cunnie/sslip.io/master/ssl/sslip.io.key.pem">sslip.io.key.pem</a>)