Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wildcard subdomain routing #206

Open
P1n3appl3 opened this issue Oct 27, 2024 · 2 comments
Open

wildcard subdomain routing #206

P1n3appl3 opened this issue Oct 27, 2024 · 2 comments

Comments

@P1n3appl3
Copy link

I use rpxy to route certain subdomains to specific apps/pages, but I'd like a catch-all route for *.my-domain.tld as a fallback so that I can either redirect those back to the main domain or serve them a specific not found page.

Today I just get a 503 Service Unavailable for any subdomain that's not explicitly registered, and I don't see anything in the code that looks like it'd support wildcards. This even happens when I specify a default_app, both for HTTP and HTTPS. The README seems to indicate that the latter isn't possible:

For HTTPS requests, it will be rejected since the secure connection cannot be established for the unknown server name.

... but I don't understand why ^ is the case when I have a tls cert with a wildcard subdomain. Is there something else that'd prevent that from working?
@junkurihara
Copy link
Owner

junkurihara commented Oct 28, 2024
edited
Loading

Hi,

Well, in my understanding, you consider a setup like the following:

  • a certificate for wildcard domain (*.example.com) is used
  • sub.example.com is registered to rpxy
  • default_app is configured for sub.example.com.

Then, you mean that requests for https://other.example.com should be routed to app of sub.example.com. If this is correct, yes, as long asrpxy serves only one apex domain, the policy looks fine!

However, the problem to implement such a catch all domain would be complicated, considering multiple wildcard domain certificates.

Consider the case where another wildcard domain certificate for *.sample.com and some subdomains for sample.com are registered, in addition to *.example.com. Then, how should the routing policy be configured? In such a case, default_app should be set for each apex domain, and it would make the configuration complicated. (Technically possible, but not sure how it should be set in the configuration file)

For HTTPS requests, it will be rejected since the secure connection cannot be established for the unknown server name.

This policy is from the security concern. I just wanted to prevent unintended access with wrong server names in TLS ClientHello.

@xkr47
Copy link
Contributor

xkr47 commented Oct 28, 2024
edited
Loading

Hmm, would it then be possible / make sense to declare a separate app with server_name = '*.example.com'? Then one could explicitly configure which certificate to use in this case. I guess it would work for plaintext connections as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@xkr47 @P1n3appl3 @junkurihara