wildcard ssl ServerNames

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

wildcard ssl ServerNames

csross
The web server I will be protecting uses a wildcard ServerName (actually ServerAlias) entry in the ssl.conf.

ServerAlias *.my-domain.com, because the value of * can be many things.

Is there any problem with this as far as installing shibboleth v2 SP.  I believe the xml file has a <Host name="www.example.org" but I have not seen a wildcard entry

<Host name="*.my-domain.com"

Is this possible?

Thank you
Reply | Threaded
Open this post in threaded view
|

RE: wildcard ssl ServerNames

Cantor, Scott E.
csross wrote on 2009-06-13:
> Is there any problem with this as far as installing shibboleth v2 SP.  I
> believe the xml file has a <Host name="www.example.org" but I have not
seen
> a wildcard entry
>
> <Host name="*.my-domain.com"
>
> Is this possible?

Apache sites have no reason to enumerate hosts in the RequestMap, you can
use Apache commands to control the software from the Apache side instead.

But your problem is that your SP's metadata, as given to the IdP, will have
to include an AssertionConsumerService element for every single virtual host
name you use. That's just part of the software design, and it's not all that
suited to massively vhosted sites.

Every resource you protect has to be paired with an ACS on the same vhost.
The software handles that automatically with the default configuration, but
it can't generate the metadata for you with dozens or more ACS locations.

-- Scott


Reply | Threaded
Open this post in threaded view
|

RE: [Shib-Users] wildcard ssl ServerNames

csross

Hello,

 

Thank you for your response.  Unfortunately I am a bit confused by the terminology. 

 

I actually (at this time) only need one of the vhost sites protected with shibboleth, but unfortunately I need all *.my-domain.com sites need ssl, so I have a wildcard certificate and vhost definition. 

 

Do you have an example where I a specific vhost uses the tool but others do not (or something of the sort)?  All vhosts use the same DocumentRoot so I can’t use a /Directory container to include the required apache entries for shibboleth. 

 

Thank you very much for your help.

Sincerely,

Christine Ross 
HCCS - Experts in Healthcare Learning
(516)478-4100, x108
[hidden email]

HCCS is the leading provider of effective online training courses and learning management systems to healthcare facilities.   HCCS has provided over 2.5 million hours of compliance and competency training courseware to hospitals, teaching facilities, medical schools, health plans and other health care entities.  The HCCS Compliance Learning Library contains expert training content in the areas of Medicare, Medicaid, HIPAA, Harassment, Research, Patient Safety and Quality Improvement Compliance.  The HCCS Healthcare Learning Platform (HLP) is a healthcare specific Learning and Competency Management System.   http://www.hccs.com (516) 478-4100 or (877) 933-hccs.

This email message is for the sole use of the intended recipient(s) and contains confidential and privileged information. Any unauthorized review, use, disclosure or distribution is strictly prohibited. If you are not the intended recipient or have received this communication in error please contact the sender by reply e-mail and destroy all copies of the original message. Thank you.

 


From: Scott Cantor (via Nabble) [mailto:[hidden email]]
Sent: Sunday, June 14, 2009 1:24 PM
To: Christine Ross
Subject: RE: [Shib-Users] wildcard ssl ServerNames

 

csross wrote on 2009-06-13:
> Is there any problem with this as far as installing shibboleth v2 SP.  I
> believe the xml file has a <Host name="www.example.org" but I have not
seen
> a wildcard entry
>
> <Host name="*.my-domain.com"
>
> Is this possible?

Apache sites have no reason to enumerate hosts in the RequestMap, you can
use Apache commands to control the software from the Apache side instead.

But your problem is that your SP's metadata, as given to the IdP, will have
to include an AssertionConsumerService element for every single virtual host
name you use. That's just part of the software design, and it's not all that
suited to massively vhosted sites.

Every resource you protect has to be paired with an ACS on the same vhost.
The software handles that automatically with the default configuration, but
it can't generate the metadata for you with dozens or more ACS locations.

-- Scott




This email is a reply to your post @ http://n2.nabble.com/wildcard-ssl-ServerNames-tp3073936p3076317.html
You can reply by email or by visting the link above.

 

Reply | Threaded
Open this post in threaded view
|

Re: wildcard ssl ServerNames

Peter Schober
* csross <[hidden email]> [2009-06-15 15:47]:
> Thank you for your response.  Unfortunately I am a bit confused by the
> terminology.  
>
> I actually (at this time) only need one of the vhost sites protected
> with shibboleth, but unfortunately I need all *.my-domain.com sites need
> ssl, so I have a wildcard certificate and vhost definition.

If you use the Shibboleth SP on only one vhost, then you only give
metadata with ACS URLs (protocol message endpoints) for this vhost to
the IdP. In other words: you can pretty ignore all the other vhosts.
-peter
Reply | Threaded
Open this post in threaded view
|

RE: wildcard ssl ServerNames

Cantor, Scott E.
In reply to this post by csross
csross wrote on 2009-06-15:
> I actually (at this time) only need one of the vhost sites protected with
> shibboleth, but unfortunately I need all *.my-domain.com sites need ssl,
so
> I have a wildcard certificate and vhost definition.

Ok, I misunderstood. One protected vhost is no big deal.

> Do you have an example where I a specific vhost uses the tool but others
> do not (or something of the sort)?  All vhosts use the same DocumentRoot
> so I can't use a /Directory container to include the required apache
> entries for shibboleth.

Just put the commands involved into the specific vhost. You can do it with
Directory or Location options, either way only that vhost will be involved.

Or you can use the RequestMap and just specify the Host you want. You asked
about wildcarding. There would be no wildcarding in the configuration if all
you're doing is one vhost.

-- Scott


Reply | Threaded
Open this post in threaded view
|

RE: wildcard ssl ServerNames

csross
Hi,

Thank you.

The reason I asked about wildcards is that I read in the documentation
that an SP can only have one site to protect (am I correct), which is
the only thing I am setting up.  

There is only one vhost container in this apache configuration with a
ServerAlias *.my-domain.com and all share the same DocumentRoot so I
cannot use a /Directory entry.  

I am not familiar with the RequestMap a quick look at the document about
SPProtectContent has this example?  Does this say that ONLY site
site.my-domain.com is protected/processed?

<Host name="site.my-domain.com" authType="shibboleth"
requireSession="true" />

Again, thank you.

Christine

-----Original Message-----
From: Scott Cantor [mailto:[hidden email]]
Sent: Monday, June 15, 2009 10:26 AM
To: [hidden email]
Subject: RE: [Shib-Users] wildcard ssl ServerNames

csross wrote on 2009-06-15:
> I actually (at this time) only need one of the vhost sites protected
with
> shibboleth, but unfortunately I need all *.my-domain.com sites need
ssl,
so
> I have a wildcard certificate and vhost definition.

Ok, I misunderstood. One protected vhost is no big deal.

> Do you have an example where I a specific vhost uses the tool but
others
> do not (or something of the sort)?  All vhosts use the same
DocumentRoot
> so I can't use a /Directory container to include the required apache
> entries for shibboleth.

Just put the commands involved into the specific vhost. You can do it
with
Directory or Location options, either way only that vhost will be
involved.

Or you can use the RequestMap and just specify the Host you want. You
asked
about wildcarding. There would be no wildcarding in the configuration if
all
you're doing is one vhost.

-- Scott


Reply | Threaded
Open this post in threaded view
|

RE: wildcard ssl ServerNames

Cantor, Scott E.
Christine Ross wrote on 2009-06-15:
> The reason I asked about wildcards is that I read in the documentation
> that an SP can only have one site to protect (am I correct), which is
> the only thing I am setting up.

I don't know what you're referring to, but that's not correct.

> There is only one vhost container in this apache configuration with a
> ServerAlias *.my-domain.com and all share the same DocumentRoot so I
> cannot use a /Directory entry.

I wasn't aware Apache could be set up like that. I guess that would rule out
using Apache commands to enable the module, yes.

> I am not familiar with the RequestMap a quick look at the document about
> SPProtectContent has this example?  Does this say that ONLY site
> site.my-domain.com is protected/processed?
>
> <Host name="site.my-domain.com" authType="shibboleth"
> requireSession="true" />

Yes. But you MUST have UseCanonicalName On for that to be safe. I don't know
if that Apache option is compatible with your vhost set up, since it would
seem to need to know what the client sent to establish the actual vhost name
at runtime. You can't do that here, because if you did, the client could
override the effective host name and the RequestMap would be ignored.

So unless you can turn that option on, or find some Apache-centric way to
control whether the commands were active for a particular request, there's
no way to do it (other than leaving it up the application code).

-- Scott


Reply | Threaded
Open this post in threaded view
|

RE: wildcard ssl ServerNames

csross
Hello thank you.

My mistake on something.  My ssl vhost ServerName is *.my-domian.com,
not the Serveralias.

I will see if there is a way to break out the * part in the
configuration.

As far as the multiple hosts on an SP, I thought I recalled reading that
you can only have one site protected on an SP.

Thank you for your help.
Christine


-----Original Message-----
From: Scott Cantor [mailto:[hidden email]]
Sent: Monday, June 15, 2009 10:52 AM
To: [hidden email]
Subject: RE: [Shib-Users] wildcard ssl ServerNames

Christine Ross wrote on 2009-06-15:
> The reason I asked about wildcards is that I read in the documentation
> that an SP can only have one site to protect (am I correct), which is
> the only thing I am setting up.

I don't know what you're referring to, but that's not correct.

> There is only one vhost container in this apache configuration with a
> ServerAlias *.my-domain.com and all share the same DocumentRoot so I
> cannot use a /Directory entry.

I wasn't aware Apache could be set up like that. I guess that would rule
out
using Apache commands to enable the module, yes.

> I am not familiar with the RequestMap a quick look at the document
about
> SPProtectContent has this example?  Does this say that ONLY site
> site.my-domain.com is protected/processed?
>
> <Host name="site.my-domain.com" authType="shibboleth"
> requireSession="true" />

Yes. But you MUST have UseCanonicalName On for that to be safe. I don't
know
if that Apache option is compatible with your vhost set up, since it
would
seem to need to know what the client sent to establish the actual vhost
name
at runtime. You can't do that here, because if you did, the client could
override the effective host name and the RequestMap would be ignored.

So unless you can turn that option on, or find some Apache-centric way
to
control whether the commands were active for a particular request,
there's
no way to do it (other than leaving it up the application code).

-- Scott


Reply | Threaded
Open this post in threaded view
|

RE: wildcard ssl ServerNames

Cantor, Scott E.
Christine Ross wrote on 2009-06-15:
> My mistake on something.  My ssl vhost ServerName is *.my-domian.com,
> not the Serveralias.

Yeah, that's the problem. With UseCanonicalName, the whole point is to make
Apache report the value in ServerName as the hostname for the request.
That's the part that the SP uses to give to the RequestMap to get the
settings to use. If you can't trust that value, you can't use the
RequestMap.

> As far as the multiple hosts on an SP, I thought I recalled reading that
> you can only have one site protected on an SP.

No, but every distinct vhost requires its own set of SAML endpoints.

-- Scott