Multi-Site Host and Subdomains

[PaulMacFarlane]

I'm experimenting with a Multi-site host and it's working fine.

app1.myhost.com -> app1.dll
app2.myhost.com -> app2.dll

So, now I want to tweak it a bit....

I want to have the host header say:

Bob.app1.myhost.com and have that host processed by app1.dll

Q1:
I suspect I can use some trickery in the host.exe, correct? where?
I've tried to change the dll registered with a host header of ".app1.myhost.com" or "*.app1.myhost.com" and neither works, so I'm probably going to have to change it in code.....

Q2:
With this experimenting I've come to realize the default website (when it can't find a host header) is the admin site......  not good....
Is there a way to create a unique URL for the admin site?
Is there a way to create a default site DLL ?

Thanks,
Paul

[PaulMacFarlane]

With further experimentation I added my full hosts:

Bob.app1.myhost.com
and
Joe.app1.myhost.com

and I had them reference the SAME DLL......

It works and doesn't seem to change memory use much.  Is this a bad solution?
If I have 100 host entries all referencing the same DLL?

[kevin plummer]

Hi Paul,

just curious why you would use this approach.

I have a few multi tenanted sites but they all log into the same url.

Cheers,

Kevin

[Bruce]

Hi Paul,

>> and I had them reference the SAME DLL......
>> It works and doesn't seem to change memory use much.  Is this a bad solution?
>> If I have 100 host entries all referencing the same DLL?

I think it's fine. I've done a few apps where I've loaded the same DLL multiple times - although not 100 <g>...

>> With this experimenting I've come to realize the default website (when it can't find a host header) is the admin site......  not good....

why not good?

>> Is there a way to create a unique URL for the admin site?
>> Is there a way to create a default sit

Note at the moment (but the app is just an app, so I'm sure it's possible - if you do make that change and want to submit it I'd be happy to fold that into the shipping app.)

cheers
Bruce

[PaulMacFarlane]

just curious why you would use this approach.
I have a few multi tenanted sites but they all log into the same url.

I'm using the URL to determine the database to use.  That way 2 different businesses can have the same login ID "Bob" but be totally separate.

This method also allows easier transition from desktop to web - take their desktop data and plunk it in a folder on the web....

[PaulMacFarlane]

I think it's fine. I've done a few apps where I've loaded the same DLL multiple times - although not 100 <g>...

Hopefully it'll be 100...g  I may use this method as a stop-gap....

Is there a way to catch the host header just before passing it to the DLLs?  Basically in HOST.exe I'd want to trim off the leading segment of the host header to determine the DLL but pass the complete host header to the DLL.
In the DLL I could then determine what I need from the hos header.

This works fine in a standalone server.  Using Host to call it is the issue....

>> With this experimenting I've come to realize the default website (when it can't find a host header) is the admin site......  not good....

why not good?

Because its tempting to hackers.....  just showing its there....

>> Is there a way to create a unique URL for the admin site?
>> Is there a way to create a default sit

Note at the moment (but the app is just an app, so I'm sure it's possible - if you do make that change and want to submit it I'd be happy to fold that into the shipping app.)

Okay.  What I'd want is the default site to be informational and instructional on how to sign up, etc...

[Bruce]

>> Is there a way to catch the host header just before passing it to the DLLs?

look in the host app, in the webServer procedure, in the StartNewthread method.
you'll see this line;

    ThisWebServer._SitesQueue.HostName = lower(self._GetHeaderField ('host:', p_RequestData.DataString, 1, p_RequestData.DataStringLen, 1, 1))

It then goes on to do a lookup on the ThisWebServer._SitesQueue.

So I guess the place to inject your code is immediately after the line above.

If you do tweak this code feel free to submit it back to me - ideally you want something that won't be overwritten with the next multi-host update.

>> Because its tempting to hackers.....  just showing its there....

This doesn't make sense to me. Because
1)
a) you need to be able to access the host. Which means either using the IP address of the server directly, or adding an entry to the DNS table for your domain.
b) If you add an entry to the DNS table for your domain then you are advertising "that it's there".
c) which means that if you add an entry in the host to match all the entries in the DNS table then you've covered the bases.

Now it's possible I'll add a default site anyway (because it's possible to create DNS entries which point at other people's IP addresses) but frankly this makes no difference to a hacker or not. The fact that it exists is obvious to anyone who looks for it...

2) You should never be relying on "obscurity" as a defense mechanism. Yes, there are some advantages to being "different" (you don't get hit by the well known common flaws in say Apache or IIS that's out of date) but we don't want to base security on that. It's a nice bonus, but given that a hacker can almost certainly find your site it's nothing more than a polite knee-high picket fence at the edge of your garden.

Incidentally, what the server does when the host is not in the queue is completely up to you. In the same place as earlier you'll see what happens if the entry is not found in the ThisWebServer._SitesQueue.
By default it goes to the "start page" of the first entry in the queue (which is the host.)

The host is a web server (just like any other) so the first page is specified in the WebServer procedure - and is set to 'loginforn'.
But of course you can direct it to absolutely any page you like, and any page you create. So maybe I should revise my answer from earlier;

>> Is there a way to create a default [page]

yes. Set the default page in the WebServer, Default Page setting.


Cheers
Bruce

[PaulMacFarlane]

Bruce,

There's a difference between obscurity and serving up your control panel by default....g
Not trying to obscure things.  Just didn't think the default-default page should be the admin control panel.....

The difference between accessing "mysite.com" or "acp.mysite.com" or "mysite.com/acp/"

Right now if the host header doesn't match to goes to the control panel....
Typing "sadjhsdlkjhsfjhsljfhjf.mysite.com" gets the control panel.....

I can't make entries for everything someone MIGHT type....

I'd like to be able to choose one of the hosted sites (DLLs) as the default - not just a page in the host webserver....

I guess I could create a default page that forwards to one of the site DLLs..... but doesn't that require sending a redirect to the browser? and it possible for the user to get a warning...

[Bruce]

>> I guess I could create a default page that forwards to one of the site DLLs.....

yes.

>> but doesn't that require sending a redirect to the browser?

yes.

>> and it possible for the user to get a warning...

No, the warnings you "see" are actually the redirection pages.

From a security point of view my point is that there is zero difference, so this is a usability issue, not a security one.

cheers
Bruce