-
-
Notifications
You must be signed in to change notification settings - Fork 709
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
able to Install Apps from https://apps.sandstorm.io/ But Grains were loading for ever #3693
Comments
It looks like you may have a stray colon at the end of your WILDCARD_HOST? |
Okay, and I guess it's worth noting that you need to restart Sandstorm after changing that. I'm assuming you have something else handling SSL termination, since your Sandstorm is using HTTP on port 6080, but I see from above you can access it at an https:// URL. However, the next thing I'm noticing is that I do not believe your DNS record is correct. If I try to lookup sstorm.dapm.com, I get an IP address. However, if I try to reach foo.dapm.com, I do not get any IP address from DNS. That suggests you don't have a wildcard entry on your DNS provider. |
You shouldn't need to do that, that's only if you're using Sandstorm's SSL provider, and want Sandstorm to handle Let's Encrypt. It looks like you're using something else. But if your wildcard was in your Gandi DNS, you should get your IP address back if you try to ping foo.dapm.com or bar.dapm.com or anything.dapm.com. |
Ok understood. let me have a look at DNS Setup and update you. may i know How it should be added as record? at DNS |
I haven't used Gandi's control panel personally, but usually a wildcard entry should be an A record where the subdomain is https://docs.gandi.net/en/domain_names/faq/record_types/a_record.html |
I'm not familiar with it, but the wildcard DNS record is definitely not working. Regardless of your proxy or Sandstorm setup, if your DNS is set correctly, a DNS lookup for anyrandomsubdomain.dapm.com should return your the IP address of your server, and currently it does not return anything. |
If i want to use a custom domain, i require a domain name with the following DNS records: Created A Record in Gandi.net: CNAME: Above I haven't created CNAME this could be reason? |
It could be either an A record or a CNAME, but there has to be one that is * and pointed at your server. Can you maybe screenshot both your sstorm record and your * record in your DNS? |
So can you add one for:
|
no impacts to Adding like below DNS?
it won;t impact my current other Wild Card Subdomains right? |
Unless you have a * record already, it should be fine. * does not impact existing records and only is used when a specific record is not found. However, you should also be able to do something like sstorm-* to ensure all Sandstorm subdomains start with sstorm-. But you'd also need to set that in the WILDCARD_HOST in your sandstorm.conf file as well. |
ocdtrekkie any input? |
The DNS stuff all looks correct now to me. I think there's a good chance the proxy setup isn't forwarding the wildcard content through, but as I said on the other issue, I don't know enough about proxy configs to tell you how to fix it. |
I have shared my current configuration. Now you will able to guide me easily. |
Here this my current proxy ssl.conf When we also provide SSL we have to listen to thethe HTTPS port in addition.Listen 443 https SSL Global ContextAll SSL configuration in this context applies both tothe main server and all SSL-enabled virtual hosts.Pass Phrase Dialog:Configure the pass phrase gathering process.The filtering dialog program (`builtin' is a internalterminal dialog) has to provide the pass phrase on stdout.SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog Inter-Process Session Cache:Configure the SSL Session Cache: First the mechanismto use and second the expiring timeout (in seconds).SSLSessionCache shmcb:/run/httpd/sslcache(512000) Pseudo Random Number Generator (PRNG):Configure one or more sources to seed the PRNG of theSSL library. The seed data should be of good random quality.WARNING! On some platforms /dev/random blocks if not enough entropyis available. This means you then cannot use the /dev/random devicebecause it would lead to very long connection times (as long asit requires to make more entropy available). But usually thoseplatforms additionally provide a /dev/urandom device which doesn'tblock. So, if available, use this one instead. Read the mod_ssl UserManual for more details.SSLRandomSeed startup file:/dev/urandom 256 Use "SSLCryptoDevice" to enable any supported hardwareaccelerators. Use "openssl engine -v" to list supportedengine names. NOTE: If you enable an accelerator and theserver does not start, consult the error logs and ensureyour accelerator is functioning properly.SSLCryptoDevice builtin SSL Virtual Host ContextGeneral setup for the virtual host, inherited from global configuration#DocumentRoot "/var/www/html" Use separate log files for the SSL virtual host; note that LogLevelis not inherited from httpd.conf.ErrorLog logs/ssl_error_log SSL Engine Switch:Enable/Disable SSL for this virtual host.SSLEngine on SSL Protocol support:List the enable protocol levels with which clients will be able toconnect. Disable SSLv2 access by default:SSLProtocol all -SSLv2 -SSLv3 SSL Cipher Suite:List the ciphers that the client is permitted to negotiate.See the mod_ssl documentation for a complete list.SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA Speed-optimized SSL Cipher configuration:If speed is your main concern (on busy HTTPS servers e.g.),you might want to force clients to specific, performanceoptimized ciphers. In this case, prepend those ciphersto the SSLCipherSuite list, and enable SSLHonorCipherOrder.Caveat: by giving precedence to RC4-SHA and AES128-SHA(as in the example below), most connections will no longerhave perfect forward secrecy - if the server's key iscompromised, captures of past or future traffic must beconsidered compromised, too.#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 Server Certificate:Point SSLCertificateFile at a PEM encoded certificate. Ifthe certificate is encrypted, then you will be prompted for apass phrase. Note that a kill -HUP will prompt again. A newcertificate can be generated using the genkey(1) command.SSLCertificateFile /etc/pki/tls/certs/localhost.crt Server Private Key:If the key is not combined with the certificate, use thisdirective to point at the key file. Keep in mind that ifyou've both a RSA and a DSA private key you can configureboth in parallel (to also allow the use of DSA ciphers, etc.)SSLCertificateKeyFile /etc/pki/tls/private/localhost.key Server Certificate Chain:Point SSLCertificateChainFile at a file containing theconcatenation of PEM encoded CA certificates which form thecertificate chain for the server certificate. Alternativelythe referenced file can be the same as SSLCertificateFilewhen the CA certificates are directly appended to the servercertificate for convinience.#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt Certificate Authority (CA):Set the CA certificate verification path where to find CAcertificates for client authentication or alternatively onehuge file containing all of them (file must be PEM encoded)#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt Client Authentication (Type):Client certificate verification type and depth. Types arenone, optional, require and optional_no_ca. Depth is anumber which specifies how deeply to verify the certificateissuer chain before deciding the certificate is not valid.#SSLVerifyClient require Access Control:With SSLRequire you can do per-directory access control basedon arbitrary complex boolean expressions containing servervariable checks and other lookup directives. The syntax is amixture between C and Perl. See the mod_ssl documentationfor more details.# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \or %{REMOTE_ADDR} =~ m/^192.76.162.[0-9]+$/# SSL Engine Options:Set various options for the SSL engine.o FakeBasicAuth:Translate the client X.509 into a Basic Authorisation. This means thatthe standard Auth/DBMAuth methods can be used for access control. Theuser name is the `one line' version of the client's X.509 certificate.Note that no password is obtained from the user. Every entry in the userfile needs this password: `xxj31ZMTZzkVA'.o ExportCertData:This exports two additional environment variables: SSL_CLIENT_CERT andSSL_SERVER_CERT. These contain the PEM-encoded certificates of theserver (always existing) and the client (only existing when clientauthentication is used). This can be used to import the certificatesinto CGI scripts.o StdEnvVars:This exports the standard SSL/TLS related `SSL_*' environment variables.Per default this exportation is switched off for performance reasons,because the extraction step is an expensive operation and is usuallyuseless for serving static content. So one usually enables theexportation for CGI and SSI requests only.o StrictRequire:This denies access when "SSLRequireSSL" or "SSLRequire" applied evenunder a "Satisfy any" situation, i.e. when it applies access is deniedand no other module can change it.o OptRenegotiate:This enables optimized SSL connection renegotiation handling when SSLdirectives are used in per-directory context.#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire SSL Protocol Adjustments:The safe and default but still SSL/TLS standard compliant shutdownapproach is that mod_ssl sends the close notify alert but doesn't wait forthe close notify alert from client. When you need a different shutdownapproach you can use one of the following variables:o ssl-unclean-shutdown:This forces an unclean shutdown when the connection is closed, i.e. noSSL close notify alert is send or allowed to received. This violatesthe SSL/TLS standard but is needed for some brain-dead browsers. Usethis when you receive I/O errors because of the standard approach wheremod_ssl sends the close notify alert.o ssl-accurate-shutdown:This forces an accurate shutdown when the connection is closed, i.e. aSSL close notify alert is send and mod_ssl waits for the close notifyalert of the client. This is 100% SSL/TLS standard compliant, but inpractice often causes hanging connections with brain-dead browsers. Usethis only for browsers where you know that their SSL implementationworks correctly.Notice: Most problems of broken clients are also related to the HTTPkeep-alive facility, so you usually additionally want to disablekeep-alive for those clients, too. Use variable "nokeepalive" for this.Similarly, one has to force some clients to use HTTP/1.0 to workaroundtheir broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and"force-response-1.0" for this.BrowserMatch "MSIE [2-5]" Per-Server Logging:The home of a custom SSL log file. Use this when you want acompact non-error SSL logfile on a virtual host basis.CustomLog logs/ssl_request_log But i don;t under stand how can we import this setting of sample-config/apache-virtualhost.conf as below Can you high light where are the things to be replaced from existing with sample file? |
if i import this sample file |
If you are using your own reverse proxy, you'll need to provide your own wildcard certificates, which is unfortunately well outside of the guidance I can provide. The error is because you'd need to change that line to point at your own certificates that cover the domain in question. |
Here my Configuration
Grains were loading for ever
Logs for particular app
System log
sandstorm_System log.log
Please advise. i am seriously stuck with this. What is missing to finish this?
i am using my own *wildcard globally able to access. still why its saying WARNING: This server seems to have its WILDCARD_HOST misconfigured.
The text was updated successfully, but these errors were encountered: