Fwd: Canonical name versus www names in Opensim (Ferd Frederix)

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Fwd: Canonical name versus www names in Opensim (Ferd Frederix)

Fred Beckhusen

How does one solve the problem of Opensim answering to only one toplevel
domain? Opensim supports only one Public DNS name, yet a server can be
both TLD.com and a www.TLD.com. Or more.

For example, my problem seems to be that my system responds to both
www.Outworldz.com:9000 and Outworldz.com:9000.   There are two A records
at Dyn DNS, both pointing to the same server.    In the web site, the
web server can be told to redirect traffic to Outworldz.com with a 301
to www.Outworldz.com. But this is not possible with Opensim.

So what happens in Opensim on one of them is a failure to verify.

06:14:46 - [GATEKEEPER SERVICE]: Verifying http://outworldz.com:9000
against http://www.outworldz.com:9000
06:14:46 - [GATEKEEPER SERVICE]: Unable to verify identity of agent XX
YY. Refusing service.

I see no possible fix, except to drop the www name, which breaks all
landmarks, as people seem to want to not type the www in.

Another problem appears to be that anyone who types in
Outworldz.com:9000 pollutes the hyperlink cache on the remote system,
and they will get a failure to identify as the compare is a simple
string compare.   This link gets stuck in the remote site, and anyone
trying to get to my site will fail or get two map entries, until someone
manually clears the remote end with a unlink-region.

If I change Opensim.ini Public name to use just Outworldz.com:9000, then
the www users will get the failure to identify.  So there is a catch-22.
If I switch to the non-www, then anyone with a old hyperlink will
pollute the cache, again.

There seems to be DNS  way to forward, and there is no way to do so at
the service I use, Dyn DNS, though some vendors seem to be able to use
proprietary code to do it.

  I seem to need an alternate, fallback entry in Opensim.ini that would
also be checked to verify identity. That would solve the "failed to
verify" problem for grids that can answer to either name.

And I don't really want to re-compile it and remove the check. But that
is looking like the only solution.

So is this a Catch-22, or did I just screw it up and now need to compile
away some security?

Ferd Frederix aka Fred Beckhusen
www.Outworldz.com or Outworldz.com, choose just one :-(

_______________________________________________
Opensim-dev mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Canonical name versus www names in Opensim (Ferd Frederix)

Haravikk

> On 24 Jul 2017, at 17:08, Fred Beckhusen <[hidden email]> wrote:
>
> How does one solve the problem of Opensim answering to only one toplevel domain? Opensim supports only one Public DNS name, yet a server can be both TLD.com and a www.TLD.com. Or more.
>
> For example, my problem seems to be that my system responds to both
> www.Outworldz.com:9000 and Outworldz.com:9000.   There are two A records
> at Dyn DNS, both pointing to the same server.    In the web site, the
> web server can be told to redirect traffic to Outworldz.com with a 301
> to www.Outworldz.com. But this is not possible with Opensim.
>
> So what happens in Opensim on one of them is a failure to verify.
>
> 06:14:46 - [GATEKEEPER SERVICE]: Verifying http://outworldz.com:9000
> against http://www.outworldz.com:9000
> 06:14:46 - [GATEKEEPER SERVICE]: Unable to verify identity of agent XX
> YY. Refusing service.
>
> I see no possible fix, except to drop the www name, which breaks all
> landmarks, as people seem to want to not type the www in.
>
> Another problem appears to be that anyone who types in
> Outworldz.com:9000 pollutes the hyperlink cache on the remote system,
> and they will get a failure to identify as the compare is a simple
> string compare.   This link gets stuck in the remote site, and anyone
> trying to get to my site will fail or get two map entries, until someone
> manually clears the remote end with a unlink-region.
>
> If I change Opensim.ini Public name to use just Outworldz.com:9000, then
> the www users will get the failure to identify.  So there is a catch-22.
> If I switch to the non-www, then anyone with a old hyperlink will
> pollute the cache, again.
>
> There seems to be DNS  way to forward, and there is no way to do so at
> the service I use, Dyn DNS, though some vendors seem to be able to use
> proprietary code to do it.
>
> I seem to need an alternate, fallback entry in Opensim.ini that would
> also be checked to verify identity. That would solve the "failed to
> verify" problem for grids that can answer to either name.
>
> And I don't really want to re-compile it and remove the check. But that
> is looking like the only solution.
>
> So is this a Catch-22, or did I just screw it up and now need to compile
> away some security?
>
> Ferd Frederix aka Fred Beckhusen
> www.Outworldz.com or Outworldz.com, choose just one :-(

If you want a quick-fix, you could try setting up a reverse proxy such as CloudFlare; they're not too hard to setup as you basically just have to change the name servers for your domain, at which point the reverse proxy takes over management of all DNS records. CloudFlare is the only one I'm familiar with, but it allows for a bunch of useful features, including the removal (or addition) of www. on requests before they touch your server, plus it can save bandwidth for any site(s) you're hosting on the same domain by caching images etc. for you.

Multiple virtual host-names does seem like something OpenSim could support, but a reverse proxy should let you solve the problem in the mean-time.
_______________________________________________
Opensim-dev mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Canonical name versus www names in Opensim (Ferd Frederix)

Mike Lorrey
from the point of view of a user, I can say that the domains and URIs for hypergridding is badly broken and needs some fixing up (granted, Kitelys own quirks do contribute to this).  There really should be a standard created that any hypergridded grid should adhere to. It seems like hypergridding for a user changes in reliability from day to day and grid to grid. Just last night, I found it impossible to find Encore Ecape grid on the map, but my partner, standing right next to me in the same region had no trouble finding it and going there, and was able to tp me there. Having a standard for this does touch on commerce, so if you have some good proposals to fix this and have a standard, please let me know and we can bring it up at an IMA Commerce Working Group meeting (which of course all interested devs are invited and welcome to attend).

On Mon, Jul 24, 2017 at 1:05 PM, Haravikk <[hidden email]> wrote:

> On 24 Jul 2017, at 17:08, Fred Beckhusen <[hidden email]> wrote:
>
> How does one solve the problem of Opensim answering to only one toplevel domain? Opensim supports only one Public DNS name, yet a server can be both TLD.com and a www.TLD.com. Or more.
>
> For example, my problem seems to be that my system responds to both
> www.Outworldz.com:9000 and Outworldz.com:9000.   There are two A records
> at Dyn DNS, both pointing to the same server.    In the web site, the
> web server can be told to redirect traffic to Outworldz.com with a 301
> to www.Outworldz.com. But this is not possible with Opensim.
>
> So what happens in Opensim on one of them is a failure to verify.
>
> 06:14:46 - [GATEKEEPER SERVICE]: Verifying http://outworldz.com:9000
> against http://www.outworldz.com:9000
> 06:14:46 - [GATEKEEPER SERVICE]: Unable to verify identity of agent XX
> YY. Refusing service.
>
> I see no possible fix, except to drop the www name, which breaks all
> landmarks, as people seem to want to not type the www in.
>
> Another problem appears to be that anyone who types in
> Outworldz.com:9000 pollutes the hyperlink cache on the remote system,
> and they will get a failure to identify as the compare is a simple
> string compare.   This link gets stuck in the remote site, and anyone
> trying to get to my site will fail or get two map entries, until someone
> manually clears the remote end with a unlink-region.
>
> If I change Opensim.ini Public name to use just Outworldz.com:9000, then
> the www users will get the failure to identify.  So there is a catch-22.
> If I switch to the non-www, then anyone with a old hyperlink will
> pollute the cache, again.
>
> There seems to be DNS  way to forward, and there is no way to do so at
> the service I use, Dyn DNS, though some vendors seem to be able to use
> proprietary code to do it.
>
> I seem to need an alternate, fallback entry in Opensim.ini that would
> also be checked to verify identity. That would solve the "failed to
> verify" problem for grids that can answer to either name.
>
> And I don't really want to re-compile it and remove the check. But that
> is looking like the only solution.
>
> So is this a Catch-22, or did I just screw it up and now need to compile
> away some security?
>
> Ferd Frederix aka Fred Beckhusen
> www.Outworldz.com or Outworldz.com, choose just one :-(

If you want a quick-fix, you could try setting up a reverse proxy such as CloudFlare; they're not too hard to setup as you basically just have to change the name servers for your domain, at which point the reverse proxy takes over management of all DNS records. CloudFlare is the only one I'm familiar with, but it allows for a bunch of useful features, including the removal (or addition) of www. on requests before they touch your server, plus it can save bandwidth for any site(s) you're hosting on the same domain by caching images etc. for you.

Multiple virtual host-names does seem like something OpenSim could support, but a reverse proxy should let you solve the problem in the mean-time.
_______________________________________________
Opensim-dev mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev



--
Mike Lorrey
CEO Galactic Systems, Inc
VP Stokens Venture Capital
International Spaceflight Museum
Skype: michael.lorrey
LinkedIn: https://www.linkedin.com/in/mikelorrey

_______________________________________________
Opensim-dev mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fwd: Canonical name versus www names in Opensim (Ferd Frederix)

Ai Austin-2
In reply to this post by Fred Beckhusen
At 17:51 24/07/2017, Fred Beckhusen <[hidden email]> wrote:

>How does one solve the problem of Opensim answering to only one toplevel
>domain? Opensim supports only one Public DNS name, yet a server can be
>both TLD.com and a www.TLD.com. Or more.
>
>For example, my problem seems to be that my system responds to both
>www.Outworldz.com:9000 and Outworldz.com:9000.   There are two A records
>at Dyn DNS, both pointing to the same server.    In the web site, the
>web server can be told to redirect traffic to Outworldz.com with a 301
>to www.Outworldz.com. But this is not possible with Opensim.
>
>So what happens in Opensim on one of them is a failure to verify.
>
>06:14:46 - [GATEKEEPER SERVICE]: Verifying http://outworldz.com:9000
>against http://www.outworldz.com:9000
>06:14:46 - [GATEKEEPER SERVICE]: Unable to verify identity of agent XX
>YY. Refusing service.


Would it be useful to at least try the www. and non www. variants
when the one given fails, before giving up?

I assume trailing "/" is already stripped of before the string
comparison?  If not, that's definitely needed.

And it seems that a HG lookup that subsequently fails to complete the
teleport is still cached.... that was the issue I had in testing with
Fred in the last few days,.  I had to do a 'show hyperlinks' and
'unlink-region <region-domain:port/>' to  allow subsequent teleports
to work.  This means its only open to someone with a region server
and console access. A normal user could not have fixed this. If
possible that failed teleport should lead to the cache entry not
being made.. or deleted from the cache if it was already in place?







_______________________________________________
Opensim-dev mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fwd: Canonical name versus www names in Opensim (Ferd Frederix)

Blake
Ferd do you have the option of creating a URL Redirect record?

In my domains I can create a URL Redirect record that would solve your problem I do believe.

Blake

On Mon, Jul 24, 2017 at 3:44 PM, Ai Austin <[hidden email]> wrote:
At 17:51 24/07/2017, Fred Beckhusen <[hidden email]> wrote:
How does one solve the problem of Opensim answering to only one toplevel
domain? Opensim supports only one Public DNS name, yet a server can be
both TLD.com and a www.TLD.com. Or more.

For example, my problem seems to be that my system responds to both
www.Outworldz.com:9000 and Outworldz.com:9000.   There are two A records
at Dyn DNS, both pointing to the same server.    In the web site, the
web server can be told to redirect traffic to Outworldz.com with a 301
to www.Outworldz.com. But this is not possible with Opensim.

So what happens in Opensim on one of them is a failure to verify.

06:14:46 - [GATEKEEPER SERVICE]: Verifying http://outworldz.com:9000
against http://www.outworldz.com:9000
06:14:46 - [GATEKEEPER SERVICE]: Unable to verify identity of agent XX
YY. Refusing service.


Would it be useful to at least try the www. and non www. variants when the one given fails, before giving up?

I assume trailing "/" is already stripped of before the string comparison?  If not, that's definitely needed.

And it seems that a HG lookup that subsequently fails to complete the teleport is still cached.... that was the issue I had in testing with Fred in the last few days,.  I had to do a 'show hyperlinks' and 'unlink-region <region-domain:port/>' to  allow subsequent teleports to work.  This means its only open to someone with a region server and console access. A normal user could not have fixed this. If possible that failed teleport should lead to the cache entry not being made.. or deleted from the cache if it was already in place?








_______________________________________________
Opensim-dev mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev


_______________________________________________
Opensim-dev mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
Loading...