[Opensim-dev] Canonical name versus www names in Opensim (Ferd Frederix)
Haravikk
opensim at haravikk.me
Mon Jul 24 17:05:34 UTC 2017
> On 24 Jul 2017, at 17:08, Fred Beckhusen <fred at mitsi.com> wrote:
>
> How does one solve the problem of Opensim answering to only one toplevel domain? Opensim supports only one Public DNS name, yet a server can be both TLD.com and a www.TLD.com. Or more.
>
> For example, my problem seems to be that my system responds to both
> www.Outworldz.com:9000 and Outworldz.com:9000. There are two A records
> at Dyn DNS, both pointing to the same server. In the web site, the
> web server can be told to redirect traffic to Outworldz.com with a 301
> to www.Outworldz.com. But this is not possible with Opensim.
>
> So what happens in Opensim on one of them is a failure to verify.
>
> 06:14:46 - [GATEKEEPER SERVICE]: Verifying http://outworldz.com:9000
> against http://www.outworldz.com:9000
> 06:14:46 - [GATEKEEPER SERVICE]: Unable to verify identity of agent XX
> YY. Refusing service.
>
> I see no possible fix, except to drop the www name, which breaks all
> landmarks, as people seem to want to not type the www in.
>
> Another problem appears to be that anyone who types in
> Outworldz.com:9000 pollutes the hyperlink cache on the remote system,
> and they will get a failure to identify as the compare is a simple
> string compare. This link gets stuck in the remote site, and anyone
> trying to get to my site will fail or get two map entries, until someone
> manually clears the remote end with a unlink-region.
>
> If I change Opensim.ini Public name to use just Outworldz.com:9000, then
> the www users will get the failure to identify. So there is a catch-22.
> If I switch to the non-www, then anyone with a old hyperlink will
> pollute the cache, again.
>
> There seems to be DNS way to forward, and there is no way to do so at
> the service I use, Dyn DNS, though some vendors seem to be able to use
> proprietary code to do it.
>
> I seem to need an alternate, fallback entry in Opensim.ini that would
> also be checked to verify identity. That would solve the "failed to
> verify" problem for grids that can answer to either name.
>
> And I don't really want to re-compile it and remove the check. But that
> is looking like the only solution.
>
> So is this a Catch-22, or did I just screw it up and now need to compile
> away some security?
>
> Ferd Frederix aka Fred Beckhusen
> www.Outworldz.com or Outworldz.com, choose just one :-(
If you want a quick-fix, you could try setting up a reverse proxy such as CloudFlare; they're not too hard to setup as you basically just have to change the name servers for your domain, at which point the reverse proxy takes over management of all DNS records. CloudFlare is the only one I'm familiar with, but it allows for a bunch of useful features, including the removal (or addition) of www. on requests before they touch your server, plus it can save bandwidth for any site(s) you're hosting on the same domain by caching images etc. for you.
Multiple virtual host-names does seem like something OpenSim could support, but a reverse proxy should let you solve the problem in the mean-time.
More information about the Opensim-dev
mailing list