Feature #10294
Define format for per-mirror hostname
100%
Description
For Feature #8635 (at least) we need to decide how to call the mirrors. This also impacts the config file format (Feature #8637) and the script (Feature #8639).
Note that all mirrors will need to answer both on the fallback hostname (likely dl.amnesia.boum.org
) and on their own one, so that we can add them to the fast and reliable fallback pool (for non-JS users) without any need for server-side configuration changes.
Also note that whatever per-mirror hostname format we choose must exist, and be maintained, in the DNS.
Subtasks
Related issues
Blocks Tails - |
Resolved | 2016-02-04 | |
Blocks Tails - |
Resolved | 2015-01-09 | 2016-04-15 |
Blocks Tails - |
Resolved | 2015-01-09 | 2016-04-15 |
History
#1 Updated by intrigeri 2015-09-28 03:20:00
- blocks #8668 added
#2 Updated by intrigeri 2015-09-28 03:20:07
- Parent task set to
Bug #7161
#3 Updated by intrigeri 2015-09-28 03:20:22
- blocks
Feature #8635: Make each mirror provide a unique virtualhost name added
#4 Updated by intrigeri 2015-09-28 03:20:35
- blocks
Feature #8637: Design how to convey the mirror pool's configuration to the dispatcher script added
#5 Updated by intrigeri 2015-09-28 03:20:42
- blocks
Feature #8639: Write a mirror pool dispatcher script added
#6 Updated by intrigeri 2015-09-28 03:23:25
Ideally the format we pick should work for Apache, nginx and lighttpd. If it’s hard to support all three then we should check popularity of those webservers among our current pool, or find a technical solution to support multiple formats.
#7 Updated by intrigeri 2015-09-28 03:34:41
- Assignee set to intrigeri
#8 Updated by Anonymous 2015-09-28 03:48:35
current research seems to confirm that the option *.1.dl.amnesia.boum.org is suitable.
nginx
http://nginx.org/en/docs/http/server_names.html
A wildcard name may contain an asterisk only on the name’s start or end, and only on a dot border. The names “www.*.example.org” and “w*.example.org” are invalid. However, these names can be specified using regular expressions, for example, “~^www\..+\.example\.org$” and “~^w.*\.example\.org$”. An asterisk can match several name parts. The name “*.example.org” matches not only www.example.org but www.sub.example.org as well.
A special wildcard name in the form “.example.org” can be used to match both the exact name “example.org” and the wildcard name “*.example.org”.
apache
https://httpd.apache.org/docs/2.4/vhosts/name-based.html#using
The wildcard characters * and ? can be used to match names.
lighthttpd
(unsure about details) http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_Configuration
# handle virtual hosting
# map all domains of a top-level-domain to a single document-root
$HTTP["host"] =~ "(^|\.)example\.org$" {
server.document-root = "/var/www/htdocs/example.org/pages/"
}
#9 Updated by intrigeri 2015-09-28 04:48:27
- Description updated
- Status changed from Confirmed to In Progress
- % Done changed from 0 to 20
u wrote:
> h3. nginx
>
> http://nginx.org/en/docs/http/server_names.html
This should work: server_name dl.amnesia.boum.org *.dl.amnesia.boum.org;
Let’s now test it.
> h3. apache
Seems that something like this should work:
ServerName dl.amnesia.boum.org
ServerAlias *.dl.amnesia.boum.org
Needs to be tested, especially since it seems to only work for name-based virtual hosts, while our current example config snippet is an IP-based virtual host.
> h3. lighthttpd
>
> (unsure about details) http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_Configuration
>
> […]
Our current example config snippet reads:
$HTTP["host"] =~ "^dl\.amnesia\.boum\.org$" {
… so replacing it with something like:
$HTTP["host"] =~ "^(\d+\.)?dl\.amnesia\.boum\.org$" {
… should work.
#10 Updated by sajolida 2015-09-28 09:26:23
Did you consider moving to dl.tails.boum.org and *.dl.tails.boum.org while working on this move?
#11 Updated by intrigeri 2015-10-01 18:58:37
> Did you consider moving to dl.tails.boum.org and *.dl.tails.boum.org while working on this move?
Not directly, but last time I thought about it, it seemed useful to keep what we don’t control much (mirrors) under a different hierarchy than our website and the infra we control, e.g. for HSTS and friends. Otherwise we may have to tightly couple HTTPS hardening of our services with moving all mirrors to HTTPS. Both are desirable, but tight coupling sounds like the wrong strategy. If there’s more discussion to be had on this topic, let’s have it on a dedicated ticket, since it’s a little bit off-topic here and we’re almost done with what this ticket is about :)
#12 Updated by intrigeri 2015-10-31 08:18:20
- Target version changed from Tails_1.7 to Tails_1.8
#13 Updated by intrigeri 2015-11-02 04:11:12
I’ll focus on Feature #5926 instead, during the 1.8 cycle.
#14 Updated by intrigeri 2015-11-02 04:11:35
- Target version changed from Tails_1.8 to 246
#15 Updated by sajolida 2015-11-27 04:45:55
- Target version changed from 246 to Tails_2.0
#16 Updated by intrigeri 2015-12-05 16:17:35
- Target version changed from Tails_2.0 to Tails_2.2
#17 Updated by intrigeri 2016-02-12 23:45:13
- Description updated
#18 Updated by intrigeri 2016-03-04 14:55:19
- Description updated
#19 Updated by intrigeri 2016-03-04 18:08:00
- Feature Branch set to doc/11054-per-mirror-hostname
#20 Updated by intrigeri 2016-03-04 18:28:20
- Status changed from In Progress to Resolved
- Assignee deleted (
intrigeri) - % Done changed from 20 to 100
Tested all these config snippets, they work fine => the format will be *.dl.amnesia.boum.org. I’ll follow-up on Feature #11054.