The Openshift 'all-in-one' Vagrant box uses xip.io. The security team at my company has relayed to us that using 'xip.io' for a wildcard DNS could cause some security concerns. So given that 'xip.io' is not an option, how can I get this set up?
We ran into a similar issue at my company. The best answer, which is a bit dire, is that you'll need to set up your own custom DNS. Sorry to say because it is a bit annoying to do but not all that bad. Use this link, it should give you some guidance.
Basically, you'll need to /etc/dnsmasq.conf file to look like:
# Reverse DNS record for master
host-record=master.example.com,192.168.1.100
# Wildcard DNS for OpenShift Applications - Points to Router
address=/apps.example.com/192.168.1.100
The article goes into great detail. I'm not sure how network savvy you are, but if you're not, then I'd suggest roping in one of your ops guys to assist with this. Without a relatively good understanding of networking, setting this up would be quite difficult.
I understand that you can do this without requiring your own DNS.
Quickest way is to manually add required entries to /etc/hosts of your host system, mapping them to IP address that xip.io address would map to.
Alternatively set up dnsmasq something like the following.
$ cat /usr/local/etc/dnsmasq.conf
address=/.10.2.2.2.xip.io/10.2.2.2
address=/.ain1/10.2.2.2
address=/.10.1.2.2.xip.io/10.1.2.2
address=/.cdk/10.1.2.2
$ls /etc/resolver/
ain1 ain1-xip cdk cdk-xip ddns
$cat /etc/resolver/cdk-xip
domain 10.1.2.2.xip.io
nameserver 127.0.0.1
This is cut and paste from elsewhere and I don't use CDK myself so not sure about the IP addresses here, but I understand this shouldn't require you to set up separate DNS. The 'ain1' entry is for the OpenShift Origin all in one VM, which is equivalent to CDK for OpenShift, but using latest Origin upstream version.
Related
I am setting up aws CDK for a new stack on aws, and the docs say essentially "use the root account to start up, but then set up a policy for a new account":
However, using their recommended assume/* policy almost immediately leads to errors when trying to cdk deploy. So what is a mechanism for determining a policy useful and applicable to setting up a full cloudformation stack deployment?
For one example use case, when setting up continuous integration to deploy multiple stacks how can we avoid giving it the keys to the kingdom?
Since I am part of the aws community builders community, I asked there as well. Suffice it to say that this is a known problem, and not a trivial one to solve. I will try to distill what I learned into an answer here in broad strokes:
Set up permission boundaries. These can forbid an agent from creating new users and privilege escalation. https://aws.amazon.com/blogs/devops/secure-cdk-deployments-with-iam-permission-boundaries/
Walk your shots/walk your permissions. In other terms, give scant few permissions, then try to deploy, find where additional permissions are needed and add those, try to deploy again, rinse and repeat. This is most applicable if you expect the services of a stack to rarely change.
Draft a permission policy of Allow all... ...then deny in particular. In other words, set a policy on the deploying agent that allows * access to all services... ...and then deny permission to create users, change other users, etc etc. Contained within this approach is: bootstrap, then customize https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html#bootstrapping-customizing
Consider a multi-account strategy, where you would add a new aws account for a different project. Because AWS is usage based payment, they allow for multi-accounting in this way where other services might have policies against multiple accounts. Control tower can help with this.
Basically, this is going to probably an incredibly generic and poorly crafted question. I do apologise in advance for that and hope you can look past that and potentially offer some solutions/help.
I am looking at starting a new project, which I guess functions similar to Shopify in a way. Users will pay a monthly fee and then get their own website which has a store-style thing on it.
I am comfortable with most aspects of making this, however, the one thing I'm not completely sure how to do is if they want to have a custom domain (which I assume most customers would). Based on my experience with services such as Spotify and Tictail, to do this I am going to have to get them to change their nameservers to my nameservers. After that, I'm not completely sure how it will function and how to set it up. All of the files for the sites are going to be pretty much the exact same so I don't need much to change there.
So basically my main question is, how would I develop it to automatically host certain content when someone sets their nameservers as my nameservers? I would like it to be completely automatic if possible, but I don't mind if there is a little manual input.
I'm super sorry if the question isn't worded properly or if it's confusing as I've never developed something like this. A simple point in the right direction would be much appreciated as I'm not too sure where to start with this.
Thanks
It depends on the server technology you use to provide such user related nameservers. If I understand you properly, you are looking to get something like:
# Your service runs here:
http://yourdomain.com
# For the user account (user specific application)
http://{unique_username}.yourdomain.com/
# Then you would have (for N users)
http://username0.yourdomain.com/
http://username1.yourdomain.com/
...
http://usernameN.yourdomain.com/
The way you have to avoid dns hijacking is to actually specify the nameserver in the server host configuration. There are many servers around which provide virtual host configurations to allow many different domain names in the same ip address.
As an example, in nginx this can be done using virtual hosts. In your case you would need to programatically create them. In order to do so, a file must be added to the folder /etc/nginx/sites-available. This could be a file called: /etc/nginx/sites-available/username0 with this content:
server {
listen 80
server_name username0.yourdomain.com;
root /path/to/app/;
...
}
So for your solution, you would create a file per customer user. In order to activate a new created virtualhost (server block), link it in the folder with path: /etc/nginx/sites-enabled
ln -s /etc/nginx/sites-avaible/username1 /etc/nginx/sites-enabled/username1
sudo service nginx reload
Read more about dns hijacking here and have a look to virtual hosts implementations, like the nginx server blocks shown above, or the apache virtual hosts.
Good luck!
My first time I have asked a question on here.
I have an expanding set of services hosted on google compute platform.
The initial round was set up in a very stressed situation, and I am now refactoring.
I currently have 3 EDIT: no thats 4 microservice VM hosts, which will all be HTTPS soon (and so need their own IP). In addition a list of test boxes, as we are developing bits. Test boxes do not need https.
question 1) Does any one have a work-round to get multiple static IPs per host? This is why i have large numbers of hosts.
question 2) How can I have more than a /29 of static IPs (eg 8 or more). This is corporate work, we will pay for services.
question 3) According to google api, I may deallocate static IPs. I cannot find an implementation for this. Do you know of one? As I have built systems like this in the past; I know there is no technical reason why there should not be an API for this.
Bonus Q, Question 4) Is there a mechanism to serialise a saved harddisk out of google cloud? This would make my CEO happy.
An ideal response is a relevent "Fine Manual" to read.
I work on GMT time. All linux hosts, probably not relevant. Although a developer, I can admin most things Linux.
UPDATE: if you delete an IP via gcloud compute addresses delete $name --region europe-west1 but don't delete the IF inside the box, this makes it not static. Which is the objective of Q3.
You can find the answers to your question below:
Its directly not possible to assign multiple IPs to an instance. One workaround to achieve this is to create multiple forwarding rules pointing to the same target pool with that instance.
Its currently not possible to reserve the whole block of IP addresses as the address are randomly assigned to the instances from the pool of IPs available.
If you have reserved static IPs in your project you can can release that IP from one instance and assign it to another.
There is no direct way to that, however one workaround I can think of is to use dd tool to clone your disk as .raw and save that to cloud storage. This clone case be used to create other disks outside your project.
I hope that helps.
I recently purchased another NIC for my computer so I could separate LAN-traffic from internet-traffic.
Long story short: How do I set it up to selectively use a certain NIC?
I'm using Windows 7 64bit, but am also interested in finding it out for Linux.
So far I found something concerning regedit with RandomAdapter = 1.
However that doesn't seem to be working as Skype is confused which card to use and general traffic still goes through the same NIC.
I also use a Switch behind my PC and between my router, but I am willing to invest in a... I forgot the 4-letter-combination capable switch that lets me utilize that function.
Could you please share your wisdom with me?
Any help is appreciated!
edit 01: Accepted solution by Amit:
So do I have to delete ALL routes and then make 2 new ones, one for each NIC ?
route -f
route ADD 192.168.X.IP1 MASK 255.255.255.0 192.168.X.X METRIC 10
route ADD 192.168.X.IP2 MASK 255.255.255.0 192.168.X.X METRIC 10
Is this correct?
For windows, this can be set up with the command line utility "route".
Open a command prompt, type route /? and go from there...
Many applications allow you to bind to a specific IP address, see the settings pages.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 years ago.
Improve this question
Is anyone aware of a public wildcard domain name that resolves to IP address 127.0.0.1. For example if I wanted to test a URL locally such as mywebsite.localhost.com or example.localhost.com but I don't have control of DNS settings (hosts file or whatever) then I would use this public DNS to resolve to 127.0.0.1. It needs to be wildcarded so that no matter whatever comes before localhost.com it still resolves to 127.0.0.1.
*.vcap.me
VMWare maintains this for their open cloud platform.
37Signals created a complete domain for mapping to any IP you want, http://xip.io. So for localhost you can using project.127.0.0.1.xip.io
I've had to starting using this for some proxy tools, as they were choking on request that didn't resolved to an IP using an external DNS call.
smackaho.st
42foo.com
I've just found a great solution: lvh.me
you can try it:
http://lvh.me
http://sub.lvh.me
We've got a domain you can actually remember for this.
*.lacolhost.com
We'll maintain it for as long as we're able.
Developing with subdomains just got a lot easier: *.lacolhost.com
http://localhost.tv does the trick :-)
I bought since none of the existing 85 localhost domains were pointing at localhost...
Note: This domain has now lapsed so won't work as described below.
It looks like *.127-0-0-1.org.uk will do what you need.
http://www.ecclestoad.co.uk/2006/08/dns-entry-pointing-to-localhost
Examples:
http://www.127-0-0-1.org.uk/
http://test1.127-0-0-1.org.uk/
http://127-0-0-1.org.uk/
http://foo.bar.127-0-0-1.org.uk/
http://*.localtest.me seems to work, except readme.localtest.me.
If nothing else, you could just register a domain for yourself and set it up so that's how it behaves.
You can go to http://afraid.org and register one.. You can get free domains(well subdomains, but you have complete control over A and NS and such records) and point one at 127.0.0.1. They support wild-cards
Feel free to use *.localhst.co.uk (note missing second 'o'). I'll keep it alive as long as I am, and the internet is still a thing. Handy for people who want to test with two levels of TLD.
If you are using Windows DNS, you can create a new zone, then you DnsCmd to add A records for # and *.
dnscmd /RecordAdd local * 3600 A 127.0.0.1
dnscmd /RecordAdd local # 3600 A 127.0.0.1
Why not using the literal IP address in the URL?
http://127.0.0.1/ (old IPv4)
http://[::1]/ (new IPv6)
This domain resolves to 127.0.0.1:
www.mouse-potato.com
somesite.com is the first one I knew about, however I found a whole bunch here
http://www.websiteoutlook.com/www.somesite.com
Check the 20 other sites point to 127.0.0.1. I have no idea how long these sites will stay pointing to 127.0.0.1.
I have set up my own that you can use:
home.pdobson.com resloves to 127.0.0.1
Your hosts file in C:\WINDOWS\system32\drivers\etc ought to be able to do this, just add one single line like this:
127.0.0.1 www.mydomain.com
Additionally, use a server like apache or a program with it like wamp, and just go to http://localhost