#1 2017-04-18 05:03:03

rockinmusicgv
Trusted Member
Registered: 2016-03-11
Posts: 8

Wildcard Reverse Proxy

GestionDBI has a really convenient tool for adding new domains to the reverse proxy.  Is it possible to add a wild card such that *.mydomain.com will be routed to the correct server?

Offline

#2 2017-04-19 14:33:49

WSS
Trusted Member
Registered: 2016-12-22
Posts: 284

Re: Wildcard Reverse Proxy

Calling BackToGeek, since I'm pretty sure he authored the tool.   I doubt you can add wildcards since I'm fairly certain this is based on HAProxy 1.5, but it never hurts to ask!


RbyeR4Nm.png

Offline

#3 2017-04-19 14:48:48

Backtogeek
Low End Boss
From: ~/
Registered: 2013-02-13
Posts: 3,544
Website

Re: Wildcard Reverse Proxy

Nope, not for me, GDBI uses their own thing smile


http://LittleHappyCloud.net KVM VPS with 1TB Bandwidth for €3.00

Offline

#4 2017-04-19 14:55:29

DavidGestionDBI
Provider-Moderator
From: Montreal, Canada
Registered: 2015-01-10
Posts: 599
Website

Re: Wildcard Reverse Proxy

I use my own thing since I never play with HAproxy of my life tongue


-----------
David B. |  Technical Director at Gestion DBI ||  Want to receive our promotions?
IT consulting and Hosting Provider | 24/7 Technical Support

Offline

#5 2017-04-19 17:43:51

rockinmusicgv
Trusted Member
Registered: 2016-03-11
Posts: 8

Re: Wildcard Reverse Proxy

Thank you for the replies.  Using the tool provided by GDBI, I cannot add wildcards to the reverse proxy.  (domains need to be numbers and letters only).  Are there any plans to add this functionality?  Is it even possible to add this?

If not, I can try to whip up a custom proxy that runs on a system with a public IPv4, but that would be a significant hassle neutral

Offline

#6 2017-04-19 19:58:03

mikho
Low End Mod
From: Hell and gore == Sweden
Registered: 2013-03-02
Posts: 1,341
Website

Re: Wildcard Reverse Proxy

HAProxy should be able to do it if the ACL is using "hdr_sub(host)" but that could end up with a bunch of other problems.

Offline

#7 2017-04-19 22:14:26

rockinmusicgv
Trusted Member
Registered: 2016-03-11
Posts: 8

Re: Wildcard Reverse Proxy

Thanks for the heads up.  If I do end up rolling my own reverse proxy, what problems will hdr_sub(host) cause?

Offline

#8 2017-04-20 06:31:27

Backtogeek
Low End Boss
From: ~/
Registered: 2013-02-13
Posts: 3,544
Website

Re: Wildcard Reverse Proxy

I assume the obvious one is missdirects and invalid session cookies, but really in order to understand it you need to live it i.e. suck it and see!


http://LittleHappyCloud.net KVM VPS with 1TB Bandwidth for €3.00

Offline

#9 2017-04-20 16:15:45

mikho
Low End Mod
From: Hell and gore == Sweden
Registered: 2013-03-02
Posts: 1,341
Website

Re: Wildcard Reverse Proxy

hdr_sub grabs a portion of the domain name and redirects it.

Example: if you want a wildcard you would set .domainname.tld
Because haproxy would take the domain that the user wants to see and match it to your inserted value.
Now the problem is if you enter only "domainname.tld" (without the ") and another user adds "yourdomainname.tld" (eithout the "). Guess what could happen? If the ACL is handled first by haproxy, yourdomainname.tld actually is true since it is the last part of the domain name.

Now, if I enter a value "a.com", with any luck I could end up with traffic for all domains ending with "a.com".

There is another option to get the last part of the domain name when matching against ACL, problem is to sanitize it if you add a port number to the domain name.

It would take alot of tests to configure this "the right way" and make it safe for the users.
There are no problems if you are the only one behind the proxy but here....... naaahhh, could get ugly.

Offline

#10 2017-04-20 19:18:18

WSS
Trusted Member
Registered: 2016-12-22
Posts: 284

Re: Wildcard Reverse Proxy

Backtogeek wrote:

Nope, not for me, GDBI uses their own thing smile

DavidGestionDBI wrote:

I use my own thing since I never play with HAproxy of my life tongue

Eweps.   Not sure why I thought Anthony did the whole LES thing for everyone.  Ignore me (if you haven't already).


RbyeR4Nm.png

Offline

#11 2017-04-21 03:31:35

AuroraZero
Slacker
From: Slacker Labs
Registered: 2017-04-01
Posts: 60
Website

Re: Wildcard Reverse Proxy

He did at first and then it kind of branched out. Which is cool.


The world is full of nuts.....Come join us. smile

Offline

#12 2017-06-05 06:03:48

yoursunny
Trusted Member
Registered: 2013-09-17
Posts: 7

Re: Wildcard Reverse Proxy

mikho wrote:

Example: if you want a wildcard you would set .domainname.tld
Because haproxy would take the domain that the user wants to see and match it to your inserted value.
Now the problem is if you enter only "domainname.tld" (without the ") and another user adds "yourdomainname.tld" (eithout the "). Guess what could happen? If the ACL is handled first by haproxy, yourdomainname.tld actually is true since it is the last part of the domain name.

Now, if I enter a value "a.com", with any luck I could end up with traffic for all domains ending with "a.com".

Would sorting the domain list by decreasing length solve the problem?

Offline

#13 2017-06-05 07:07:12

mikho
Low End Mod
From: Hell and gore == Sweden
Registered: 2013-03-02
Posts: 1,341
Website

Re: Wildcard Reverse Proxy

yoursunny wrote:
mikho wrote:

Example: if you want a wildcard you would set .domainname.tld
Because haproxy would take the domain that the user wants to see and match it to your inserted value.
Now the problem is if you enter only "domainname.tld" (without the ") and another user adds "yourdomainname.tld" (eithout the "). Guess what could happen? If the ACL is handled first by haproxy, yourdomainname.tld actually is true since it is the last part of the domain name.

Now, if I enter a value "a.com", with any luck I could end up with traffic for all domains ending with "a.com".

Would sorting the domain list by decreasing length solve the problem?

 
I don't have the manual remebered but I have a gut feeling that it doesn't matter.
Sorting is done randomly and first hit is the one is used.
I could be wrong but then you need someone to sort the list smile

Offline

#14 2017-06-05 07:10:05

WSS
Trusted Member
Registered: 2016-12-22
Posts: 284

Re: Wildcard Reverse Proxy

It really sounds like there needs to be some decent regex done on data entered and sanitized before use.


RbyeR4Nm.png

Offline

#15 2017-06-05 08:22:57

mikho
Low End Mod
From: Hell and gore == Sweden
Registered: 2013-03-02
Posts: 1,341
Website

Re: Wildcard Reverse Proxy

WSS wrote:

It really sounds like there needs to be some decent regex done on data entered and sanitized before use.

 
It is possible to make it work perfect in a owned environment. In a shared like this, to many people who can turn things into an ugly mess. A mess that probably would take more time to sort out then what the service cost.

Offline

#16 2017-06-05 14:09:13

WSS
Trusted Member
Registered: 2016-12-22
Posts: 284

Re: Wildcard Reverse Proxy

mikho wrote:
WSS wrote:

It really sounds like there needs to be some decent regex done on data entered and sanitized before use.

 
It is possible to make it work perfect in a owned environment. In a shared like this, to many people who can turn things into an ugly mess. A mess that probably would take more time to sort out then what the service cost.

That's true, but a basic pattern match is useful for most.   This is what I find myself using for basic validation:

^[A-Za-z0-9][-A-Za-z0-9]+[A-Za-z0-9].[a-z]{2,3}(.[a-z]{2,3})?(.[a-z]{2,3})?$

Also, I feel that anyone trying to abuse the proffered services should be blocked from ANY service and flagged as a problem.

Last edited by WSS (2017-06-05 14:10:26)


RbyeR4Nm.png

Offline

#17 2017-06-05 19:32:05

mikho
Low End Mod
From: Hell and gore == Sweden
Registered: 2013-03-02
Posts: 1,341
Website

Re: Wildcard Reverse Proxy

Not knowing the backend but with SolusVM in mind I'm sure it will be better not to touch a working solution wink

Offline

#18 2017-06-05 21:03:15

Backtogeek
Low End Boss
From: ~/
Registered: 2013-02-13
Posts: 3,544
Website

Re: Wildcard Reverse Proxy

And just for fun I just upgraded my solusvm masters to centos 7 and the haproxy integration seems to be rather flakey now.. jot, virtualizor here we come!


http://LittleHappyCloud.net KVM VPS with 1TB Bandwidth for €3.00

Offline

#19 2017-06-06 00:29:38

WSS
Trusted Member
Registered: 2016-12-22
Posts: 284

Re: Wildcard Reverse Proxy

The preceding two posts are a combination of wisdom- and doing it anyway.   Please post how it goes, Ant- I'll be in Stockholm in two days and need some schadenfreude to keep me going!


RbyeR4Nm.png

Offline

#20 2017-06-06 08:41:14

Backtogeek
Low End Boss
From: ~/
Registered: 2013-02-13
Posts: 3,544
Website

Re: Wildcard Reverse Proxy

I can count to 1000 in Swedish now.


http://LittleHappyCloud.net KVM VPS with 1TB Bandwidth for €3.00

Offline

#21 2017-06-06 12:03:11

mikho
Low End Mod
From: Hell and gore == Sweden
Registered: 2013-03-02
Posts: 1,341
Website

Re: Wildcard Reverse Proxy

WSS wrote:

The preceding two posts are a combination of wisdom- and doing it anyway.   Please post how it goes, Ant- I'll be in Stockholm in two days and need some schadenfreude to keep me going!

 
Don't get caught https://youtu.be/I_1PEIBAFoo

Offline

#22 2017-06-06 12:35:03

WSS
Trusted Member
Registered: 2016-12-22
Posts: 284

Re: Wildcard Reverse Proxy

mikho wrote:

There's no way I'd be able to infiltrate.  My fashion sense is so poor that I own this:

qXvM8vSm.jpg

I wisely decided NOT to wear it on my flight, but was tempted to do my best to be the "Fat Arrogant Geograhically-Gullible Yank" character the rest of the world just assumes we all are.


RbyeR4Nm.png

Offline

Board footer