Multiple Servers on One Computer - Port Resolution via DNS

[Rob Mikkelsen]

I keep wading deeper and deeper into the water.  Now I am appointing myself as network administrator! <g>

I have decided to set up my own DNS server for my traffic count sites (160 of them) within the faa.gov firewall so all the sites can be referred to by name and I have some control over DNS changes.

My DNS server is countops.faa.gov, and each site is identified by the site ID (ie., Atlanta Tower is atl.countops.faa.gov).  Got that.  However, the DNS host <A> record does not allow you to specify a port address along with the IP address.  Therefore, I assumed that it was handled via the hosts file on the host computer, but I am unable to enter a port number there.

If I have multiple sites running on one computer using unique port addressing, how do I retrieve the port number and direct the url to the appropriate copy of NetTalk without destroying the URL which will be used for SSL certificate purposes? 

With the DNS front-end, I would really like to avoid having to specify a port number and just let it assign the port automatically.

Thanks!

Rob

[Rob Mikkelsen]

I think I found the answer to my own question in Benjamin Krajmalnik's article on ClarionMag.  While virtual servers work for nonencrypted data, there is no way to resolve SSL connections.  I imagine my next move would be to direct all URLs on a particular server to one NetTalk app, resolve the destination from the host URL, then redirect to the appriate port which would then become visible in the URL.

Would the addition of the port number in the URL break a wildcard SSL certificate?

Rob

[Bruce]

Hi Rob,

DNS doesn't do ports - just IP addresses.

The problem with SSL remains that you need the certificate to figure out the host - and you need the host to figure out the certificate.

Except maybe in the case of a wildcard certificate where all the sites are on the same domain.

But aren't you running the program on lots of different servers? So they're all on the same port number no? So why the need to "Set" the port number? I'm a little confused...

Cheers
Bruce

[Rob Mikkelsen]

Bruce,

In some cases we are running one app on different servers.  Those are not the problem; however, we have four boxes with eight apps running on each, and one box with 22 apps running on it. At end state, we will have three or four servers running about 30 copies of my software on each, in addition to the 65 standalone servers.  I have thought about using one copy of NetTalk to deliver content from all 30 apps, but it will require a considerable rewrite and, since we are busy installing, it may be a while before I can get to it.

The wildcard certificate is the best way to handle this, and using the Comodo wildcard it will only cost about $850/year to license the certificate for all the computers and systems.  I have not priced this with Verisign yet, but I imagine that it is considerably more.  I sure hope the FAA does not have an exclusive agreement with them.

Of course, the wildcard certificates require the domain name to be consistent.  To that end, I have created a NS zone to manage and keep the URLs consistent.  UPDATE:  I was just advised that my request for a zone was disapproved for security reasons; therefore, I have just requested 111 names in the same domain with another 50 or so to come in the future.  That request was approved - go figure!

The wildcard should be good for decrypting the SSL for all the instances of NetTalk on the server.  I have established separate names for each of the sites on the server and directed them to the same IP address. I plan to run a NTWS on the default port, determine the intended destination from the original URL, append the port number and redirect the request to the appropriate server.

What variable (if any) contains the original URL?  What show stoppers am I missing here?

Rob

[Bruce]

Hi Rob,

I think we need to do some testing with the wildcard certificate and the new NetTalk 5 "host" app. If that works, then that'll definitly be your best option going forward. I'll try and do that today or tomorrow.

cheers
Bruce

[Rob Mikkelsen]

Bruce,

I look forward to the results.  If this works correctly, NT5 could simplify my entire operation!

In the interim, I have created a program that reads the URL, appends the port number and redirects it using the java window.location function on load.  It is pretty quick and seems to be bulletproof.

Right now, if you specify the port of another site (for example, gpt.countops.faa.gov:5728 may send you to Baton Rouge's web server on the same computer if the port is not correct.  To fix this, I will look at the URL when the page is first loaded and if the site is requesting Gulfport and not Boise, I need to strip the port number out, then redirect it to the "web director" site to send it to the right place.

I am sure that NT5 will do all that automagically!

Rob

[Alberto]

Rob,
May you please share the code? If possible, with a simple example?
I´m interested.
Thanks
Alberto

[Rob Mikkelsen]

Alberto,  I would be glad to.

As you will be able to tell by looking at the code it is really pretty straightforward.  This server (webdirect) monitors port 80 and waits for an incoming request.  It then looks at the requested URL for the site requested, looks it up in the database, attaches the appropriate port to the requested URL, then redirects to the modified URL via a Javascript function.  It also places a link on the page in case the user's web browser does not support Javascript.

I have attached the WebDirect.App which is used to monitor the port, as well as the editing app and dictionary.  I have taken the liberty of <gasp!> writing a few notes in the code.

So, if you have a site called info.alberto.com and also a site called stuff.alberto.com you can run both servers on the same computer and this program would redirect to the appropriate port for each.  As always, there are probably more elegant solutions than this since I have only hammers in my tool box, but it seems to work rather well.

Cheers!

Rob

[attachment deleted by admin]

[Alberto]

Rob, tanks a lot!!!
Alberto