You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@trafficcontrol.apache.org by "Zhilin Huang (zhilhuan)" <zh...@cisco.com> on 2017/08/25 07:12:33 UTC
Is multiple subdomains fully supported?
Hi folks,
The multiple subdomain (HOST_REGEXP) looks not working in TC version we are using. However, after checking the code in latest master branch, I would suspect if this is fully supported:
1. Based on the code, Traffic Router may not fully support HOST_REGEXP with “set_number” not equal 0. The cr-config generated will only include the first HOST_REGEXP into the “domains” field for each delivery service. So the auto-zones will not be generated for other HOST_REGEXP.
2. For HTTPS delivery service, the SSL certificate will only be generated for the first HOST_REGEXP.
Have anyone of you are using multiple HOST_REGEXP in your delivery services? Please correct me if my understanding is wrong.
If we want to fully support multiple subdomain (HOST_REGEXP), should we do:
For item 1) above, expand all HOST_REGEXP and add into “domains” field for each delivery service in “cr-config”. Is there any special reason to only include the first one?
For item 2) above, add SAN in SSL certificate for all HOST_REGEXP other than the first one (set_number == 0)?
Thanks,
Zhilin
Re: Is multiple subdomains fully supported?
Posted by "Zhilin Huang (zhilhuan)" <zh...@cisco.com>.
Hey Dave,
Thanks a lot for your clarification!
And FYI, a github issue is created: https://github.com/apache/incubator-trafficcontrol/issues/1123 .
Thanks,
Zhilin
On 9/1/17, 10:54 PM, "Dave Neuman" <ne...@apache.org> wrote:
No problem.
```1) HOST_REGEXP 1 will be: “.*\.foo.bar.com”? Or explicitly “
movie.foo.bar.com”?```
It will need to explicitly need to be a FQDN of a CNAME so `
movie.foo.bar.com`
```2) I think currently the certificate generated by Traffic Ops not
supported SAN. Does this mean we need to generate the SSL certificate from
another place, and paste it to Traffic Ops only?```
Yeah, if you want to create it will a SAN you will need to do it manually.
You can do it using the Openssl command.
Can you open a ticket to update the docs for HOST_REGEXP and also to add
SAN support to Traffic Ops? I think that's something that we need to
support.
Thanks,
Dave
On Thu, Aug 31, 2017 at 9:35 PM, Zhilin Huang (zhilhuan) <zhilhuan@cisco.com
> wrote:
> Hey Dave,
>
> Yes, it is much clearer for me now. Thank you very much for the
> clarification!
>
> BTW, based on your example, how could we do the configuration?
>
> 1) HOST_REGEXP 1 will be: “.*\.foo.bar.com”? Or explicitly “
> movie.foo.bar.com”?
>
> 2) I think currently the certificate generated by Traffic Ops not
> supported SAN. Does this mean we need to generate the SSL certificate from
> another place, and paste it to Traffic Ops only?
>
> It would be much helpful if we can reword in the document for HOST_REGEXP
> > 1. How could we open a ticket? Create a github issue?
>
> Thanks,
> Zhilin
>
>
>
> On 8/31/17, 10:37 PM, "Dave Neuman" <ne...@apache.org> wrote:
>
> Hey Zhilin,
>
> The HOST_REGEXP > 0 is not used the same as HOST_REGEXP = 0. I
> understand
> this is confusing, but it is what it is. We should probably get a
> ticket
> in to change the behavior or wording so that it is less confusing.
> The HOST_REGEXP > 0 is meant to be a CNAME. So, if you have a CDN
> with the
> domain name `example.com` and a HOST_REGEXP 0 of `.*\.movies\.*` you
> could
> have a HOST_REGEXP 1 of `movies.foo.bar.com` which will be a CNAME to
> `
> movies.example.com`. This will need to be configured in a different
> DNS
> server (the one for `bar.com`) and will also need to be a SAN in the
> DS
> certificate. Then when the client looks up `different.domain.com`
> they
> will be pointed at `tr.movies.example.com` and TR will do the right
> thing.
>
> I hope that helps? If not, let me know.
>
>
> Thanks,
> Dave
>
>
>
> On Tue, Aug 29, 2017 at 10:52 PM, Zhilin Huang (zhilhuan) <
> zhilhuan@cisco.com> wrote:
>
> > BTW, would you mind to give an example on how you are using
> HOST_REGEXP >
> > 0 in your production?
> >
> > We thought HOST_REGEXP > 0 should be very similar to HOST_REGEXP =
> 0, but
> > sounds like it is not the case.
> >
> > Thanks,
> > Zhilin
> >
> >
> > On 8/30/17, 12:46 PM, "Zhilin Huang (zhilhuan)" <zh...@cisco.com>
> > wrote:
> >
> > Hi Dave,
> >
> > Thanks a lot for your response!
> >
> > Sorry, I am not quite catch up with you. I am still confused
> about how
> > HOST_REGEXP will work in the production, may need more clarification:
> >
> > 1) “To support CNAMES from domains outside of the Traffic
> Control top
> > level DNS domain, enter multiple HOST_REGEXP lines”:
> >
> > What does this mean about “outside of the Traffic Control top
> level
> > DNS domain”, will the CNAME still be response by Traffic Router?
> >
> > If yes, then looks like it could only work to replace “tr” or
> “edge”
> > field. For example, a CDN with domain name “example.com”, and DS
> with
> > HOST_REGEXP 0 “.*\.movie\..*” and HOST_REGEXP 1 “.*\.aliens\.*”, a
> zone
> > file “movie.example.com.” will be created. So traffic router could
> only
> > serve DNS request for “*.movie.example.com”. Does this mean “
> > aliens.movie.example.com” will be a CNAME for “tr.movie.example.com”?
> I
> > think domain name like “tr.aliens.example.com” could not be
> resolved by
> > Traffic Router, correct?
> >
> > 2) “we use HOST_REGEXP > 0 as CNAMES which would be domains we
> are not
> > authoritative for and we don't control.”:
> > Does this mean the CNAMES are not managed by Traffic Router, and
> need
> > be configured in other DNS servers? If yes, how could that work for
> HTTPS?
> > Take the above example, if DNS query for “tr.aliens.example.com”
> would be
> > response as CNAME of “tr.movie.example.com” by outside DNS server,
> then
> > Traffic Router will response for further DNS query for “
> > tr.movie.example.com”. The client will still use “
> tr.aliens.example.com”
> > in the HTTPS request, therefore the SSL certificate will still not
> work
> > since no SSL SAN configured.
> >
> > Thanks,
> > Zhilin
> >
> >
> >
> > On 8/29/17, 11:32 PM, "Dave Neuman" <ne...@apache.org> wrote:
> >
> > This doc states To support CNAMES from domains outside of the
> > Traffic
> > Control top level DNS domain, enter multiple HOST_REGEXP
> lines,
> > which shows
> > that we intended HOST_REGEXP > 0 to be for CNAMES.
> >
> > http://trafficcontrol.apache.org/docs/latest/admin/traffic_
> > ops/using.html?highlight=host_regexp#delivery-service-regexp
> >
> >
> > On Tue, Aug 29, 2017 at 9:29 AM, Dave Neuman <
> neuman@apache.org>
> > wrote:
> >
> > > Hi Zhilin,
> > > Sorry for not responding sooner.
> > >
> > > I answered your questions inline below. Let me know what
> other
> > questions
> > > you have.
> > >
> > > Thanks,
> > > Dave
> > >
> > > On Mon, Aug 28, 2017 at 8:32 PM, Zhilin Huang (zhilhuan) <
> > > zhilhuan@cisco.com> wrote:
> > >
> > >> Hmm, no response…
> > >>
> > >> I think I should suppose no one is using multiple
> subdomains in
> > >> production. Please response if I am wrong.
> > >>
> > >> Thanks,
> > >> Zhilin
> > >>
> > >>
> > >> On 8/25/17, 3:12 PM, "Zhilin Huang (zhilhuan)" <
> > zhilhuan@cisco.com>
> > >> wrote:
> > >>
> > >> Hi folks,
> > >>
> > >> The multiple subdomain (HOST_REGEXP) looks not
> working in
> > TC version
> > >> we are using. However, after checking the code in latest
> master
> > branch, I
> > >> would suspect if this is fully supported:
> > >>
> > >> 1. Based on the code, Traffic Router may not fully
> support
> > >> HOST_REGEXP with “set_number” not equal 0. The cr-config
> > generated will
> > >> only include the first HOST_REGEXP into the “domains”
> field for
> > each
> > >> delivery service. So the auto-zones will not be generated
> for
> > other
> > >> HOST_REGEXP.
> > >>
> > >
> > > Correct, the regex is in the CrConfig but not in the
> domains
> > section. The
> > > HOST_REGEXP > 0 is intended (at least the way we use it)
> for
> > CNAMEs on
> > > other domains. Since the CNAMEs are not on the domain the
> TR is
> > > authoritative for, the TR cannot manage zones for them.
> > >
> > >
> > >>
> > >> 2. For HTTPS delivery service, the SSL certificate
> will
> > only be
> > >> generated for the first HOST_REGEXP.
> > >>
> > >
> > > Correct, again we use HOST_REGEXP > 0 as CNAMES which
> would be
> > domains we
> > > are not authoritative for and we don't control.
> > >
> > >
> > >> Have anyone of you are using multiple HOST_REGEXP in
> your
> > delivery
> > >> services? Please correct me if my understanding is wrong.
> > >>
> > >> If we want to fully support multiple subdomain
> > (HOST_REGEXP), should
> > >> we do:
> > >>
> > >> For item 1) above, expand all HOST_REGEXP and add into
> > “domains”
> > >> field for each delivery service in “cr-config”. Is there
> any
> > special reason
> > >> to only include the first one?
> > >>
> > >
> > > Yes, we put CNAMEs in this field so TR could not be
> > authoritative for
> > > those zones. You would need to do some check to make sure
> that
> > TR can
> > > actually manage the zone before adding including it in the
> > domains section.
> > >
> > >
> > >>
> > >> For item 2) above, add SAN in SSL certificate for all
> > HOST_REGEXP
> > >> other than the first one (set_number == 0)?
> > >>
> > >
> > > See above.
> > >
> > >
> > >> Thanks,
> > >> Zhilin
> > >>
> > >>
> > >>
> > >>
> > >>
> > >
> >
> >
> >
> >
> >
>
>
>
Re: Is multiple subdomains fully supported?
Posted by Dave Neuman <ne...@apache.org>.
No problem.
```1) HOST_REGEXP 1 will be: “.*\.foo.bar.com”? Or explicitly “
movie.foo.bar.com”?```
It will need to explicitly need to be a FQDN of a CNAME so `
movie.foo.bar.com`
```2) I think currently the certificate generated by Traffic Ops not
supported SAN. Does this mean we need to generate the SSL certificate from
another place, and paste it to Traffic Ops only?```
Yeah, if you want to create it will a SAN you will need to do it manually.
You can do it using the Openssl command.
Can you open a ticket to update the docs for HOST_REGEXP and also to add
SAN support to Traffic Ops? I think that's something that we need to
support.
Thanks,
Dave
On Thu, Aug 31, 2017 at 9:35 PM, Zhilin Huang (zhilhuan) <zhilhuan@cisco.com
> wrote:
> Hey Dave,
>
> Yes, it is much clearer for me now. Thank you very much for the
> clarification!
>
> BTW, based on your example, how could we do the configuration?
>
> 1) HOST_REGEXP 1 will be: “.*\.foo.bar.com”? Or explicitly “
> movie.foo.bar.com”?
>
> 2) I think currently the certificate generated by Traffic Ops not
> supported SAN. Does this mean we need to generate the SSL certificate from
> another place, and paste it to Traffic Ops only?
>
> It would be much helpful if we can reword in the document for HOST_REGEXP
> > 1. How could we open a ticket? Create a github issue?
>
> Thanks,
> Zhilin
>
>
>
> On 8/31/17, 10:37 PM, "Dave Neuman" <ne...@apache.org> wrote:
>
> Hey Zhilin,
>
> The HOST_REGEXP > 0 is not used the same as HOST_REGEXP = 0. I
> understand
> this is confusing, but it is what it is. We should probably get a
> ticket
> in to change the behavior or wording so that it is less confusing.
> The HOST_REGEXP > 0 is meant to be a CNAME. So, if you have a CDN
> with the
> domain name `example.com` and a HOST_REGEXP 0 of `.*\.movies\.*` you
> could
> have a HOST_REGEXP 1 of `movies.foo.bar.com` which will be a CNAME to
> `
> movies.example.com`. This will need to be configured in a different
> DNS
> server (the one for `bar.com`) and will also need to be a SAN in the
> DS
> certificate. Then when the client looks up `different.domain.com`
> they
> will be pointed at `tr.movies.example.com` and TR will do the right
> thing.
>
> I hope that helps? If not, let me know.
>
>
> Thanks,
> Dave
>
>
>
> On Tue, Aug 29, 2017 at 10:52 PM, Zhilin Huang (zhilhuan) <
> zhilhuan@cisco.com> wrote:
>
> > BTW, would you mind to give an example on how you are using
> HOST_REGEXP >
> > 0 in your production?
> >
> > We thought HOST_REGEXP > 0 should be very similar to HOST_REGEXP =
> 0, but
> > sounds like it is not the case.
> >
> > Thanks,
> > Zhilin
> >
> >
> > On 8/30/17, 12:46 PM, "Zhilin Huang (zhilhuan)" <zh...@cisco.com>
> > wrote:
> >
> > Hi Dave,
> >
> > Thanks a lot for your response!
> >
> > Sorry, I am not quite catch up with you. I am still confused
> about how
> > HOST_REGEXP will work in the production, may need more clarification:
> >
> > 1) “To support CNAMES from domains outside of the Traffic
> Control top
> > level DNS domain, enter multiple HOST_REGEXP lines”:
> >
> > What does this mean about “outside of the Traffic Control top
> level
> > DNS domain”, will the CNAME still be response by Traffic Router?
> >
> > If yes, then looks like it could only work to replace “tr” or
> “edge”
> > field. For example, a CDN with domain name “example.com”, and DS
> with
> > HOST_REGEXP 0 “.*\.movie\..*” and HOST_REGEXP 1 “.*\.aliens\.*”, a
> zone
> > file “movie.example.com.” will be created. So traffic router could
> only
> > serve DNS request for “*.movie.example.com”. Does this mean “
> > aliens.movie.example.com” will be a CNAME for “tr.movie.example.com”?
> I
> > think domain name like “tr.aliens.example.com” could not be
> resolved by
> > Traffic Router, correct?
> >
> > 2) “we use HOST_REGEXP > 0 as CNAMES which would be domains we
> are not
> > authoritative for and we don't control.”:
> > Does this mean the CNAMES are not managed by Traffic Router, and
> need
> > be configured in other DNS servers? If yes, how could that work for
> HTTPS?
> > Take the above example, if DNS query for “tr.aliens.example.com”
> would be
> > response as CNAME of “tr.movie.example.com” by outside DNS server,
> then
> > Traffic Router will response for further DNS query for “
> > tr.movie.example.com”. The client will still use “
> tr.aliens.example.com”
> > in the HTTPS request, therefore the SSL certificate will still not
> work
> > since no SSL SAN configured.
> >
> > Thanks,
> > Zhilin
> >
> >
> >
> > On 8/29/17, 11:32 PM, "Dave Neuman" <ne...@apache.org> wrote:
> >
> > This doc states To support CNAMES from domains outside of the
> > Traffic
> > Control top level DNS domain, enter multiple HOST_REGEXP
> lines,
> > which shows
> > that we intended HOST_REGEXP > 0 to be for CNAMES.
> >
> > http://trafficcontrol.apache.org/docs/latest/admin/traffic_
> > ops/using.html?highlight=host_regexp#delivery-service-regexp
> >
> >
> > On Tue, Aug 29, 2017 at 9:29 AM, Dave Neuman <
> neuman@apache.org>
> > wrote:
> >
> > > Hi Zhilin,
> > > Sorry for not responding sooner.
> > >
> > > I answered your questions inline below. Let me know what
> other
> > questions
> > > you have.
> > >
> > > Thanks,
> > > Dave
> > >
> > > On Mon, Aug 28, 2017 at 8:32 PM, Zhilin Huang (zhilhuan) <
> > > zhilhuan@cisco.com> wrote:
> > >
> > >> Hmm, no response…
> > >>
> > >> I think I should suppose no one is using multiple
> subdomains in
> > >> production. Please response if I am wrong.
> > >>
> > >> Thanks,
> > >> Zhilin
> > >>
> > >>
> > >> On 8/25/17, 3:12 PM, "Zhilin Huang (zhilhuan)" <
> > zhilhuan@cisco.com>
> > >> wrote:
> > >>
> > >> Hi folks,
> > >>
> > >> The multiple subdomain (HOST_REGEXP) looks not
> working in
> > TC version
> > >> we are using. However, after checking the code in latest
> master
> > branch, I
> > >> would suspect if this is fully supported:
> > >>
> > >> 1. Based on the code, Traffic Router may not fully
> support
> > >> HOST_REGEXP with “set_number” not equal 0. The cr-config
> > generated will
> > >> only include the first HOST_REGEXP into the “domains”
> field for
> > each
> > >> delivery service. So the auto-zones will not be generated
> for
> > other
> > >> HOST_REGEXP.
> > >>
> > >
> > > Correct, the regex is in the CrConfig but not in the
> domains
> > section. The
> > > HOST_REGEXP > 0 is intended (at least the way we use it)
> for
> > CNAMEs on
> > > other domains. Since the CNAMEs are not on the domain the
> TR is
> > > authoritative for, the TR cannot manage zones for them.
> > >
> > >
> > >>
> > >> 2. For HTTPS delivery service, the SSL certificate
> will
> > only be
> > >> generated for the first HOST_REGEXP.
> > >>
> > >
> > > Correct, again we use HOST_REGEXP > 0 as CNAMES which
> would be
> > domains we
> > > are not authoritative for and we don't control.
> > >
> > >
> > >> Have anyone of you are using multiple HOST_REGEXP in
> your
> > delivery
> > >> services? Please correct me if my understanding is wrong.
> > >>
> > >> If we want to fully support multiple subdomain
> > (HOST_REGEXP), should
> > >> we do:
> > >>
> > >> For item 1) above, expand all HOST_REGEXP and add into
> > “domains”
> > >> field for each delivery service in “cr-config”. Is there
> any
> > special reason
> > >> to only include the first one?
> > >>
> > >
> > > Yes, we put CNAMEs in this field so TR could not be
> > authoritative for
> > > those zones. You would need to do some check to make sure
> that
> > TR can
> > > actually manage the zone before adding including it in the
> > domains section.
> > >
> > >
> > >>
> > >> For item 2) above, add SAN in SSL certificate for all
> > HOST_REGEXP
> > >> other than the first one (set_number == 0)?
> > >>
> > >
> > > See above.
> > >
> > >
> > >> Thanks,
> > >> Zhilin
> > >>
> > >>
> > >>
> > >>
> > >>
> > >
> >
> >
> >
> >
> >
>
>
>
Re: Is multiple subdomains fully supported?
Posted by "Zhilin Huang (zhilhuan)" <zh...@cisco.com>.
Hey Dave,
Yes, it is much clearer for me now. Thank you very much for the clarification!
BTW, based on your example, how could we do the configuration?
1) HOST_REGEXP 1 will be: “.*\.foo.bar.com”? Or explicitly “movie.foo.bar.com”?
2) I think currently the certificate generated by Traffic Ops not supported SAN. Does this mean we need to generate the SSL certificate from another place, and paste it to Traffic Ops only?
It would be much helpful if we can reword in the document for HOST_REGEXP > 1. How could we open a ticket? Create a github issue?
Thanks,
Zhilin
On 8/31/17, 10:37 PM, "Dave Neuman" <ne...@apache.org> wrote:
Hey Zhilin,
The HOST_REGEXP > 0 is not used the same as HOST_REGEXP = 0. I understand
this is confusing, but it is what it is. We should probably get a ticket
in to change the behavior or wording so that it is less confusing.
The HOST_REGEXP > 0 is meant to be a CNAME. So, if you have a CDN with the
domain name `example.com` and a HOST_REGEXP 0 of `.*\.movies\.*` you could
have a HOST_REGEXP 1 of `movies.foo.bar.com` which will be a CNAME to `
movies.example.com`. This will need to be configured in a different DNS
server (the one for `bar.com`) and will also need to be a SAN in the DS
certificate. Then when the client looks up `different.domain.com` they
will be pointed at `tr.movies.example.com` and TR will do the right thing.
I hope that helps? If not, let me know.
Thanks,
Dave
On Tue, Aug 29, 2017 at 10:52 PM, Zhilin Huang (zhilhuan) <
zhilhuan@cisco.com> wrote:
> BTW, would you mind to give an example on how you are using HOST_REGEXP >
> 0 in your production?
>
> We thought HOST_REGEXP > 0 should be very similar to HOST_REGEXP = 0, but
> sounds like it is not the case.
>
> Thanks,
> Zhilin
>
>
> On 8/30/17, 12:46 PM, "Zhilin Huang (zhilhuan)" <zh...@cisco.com>
> wrote:
>
> Hi Dave,
>
> Thanks a lot for your response!
>
> Sorry, I am not quite catch up with you. I am still confused about how
> HOST_REGEXP will work in the production, may need more clarification:
>
> 1) “To support CNAMES from domains outside of the Traffic Control top
> level DNS domain, enter multiple HOST_REGEXP lines”:
>
> What does this mean about “outside of the Traffic Control top level
> DNS domain”, will the CNAME still be response by Traffic Router?
>
> If yes, then looks like it could only work to replace “tr” or “edge”
> field. For example, a CDN with domain name “example.com”, and DS with
> HOST_REGEXP 0 “.*\.movie\..*” and HOST_REGEXP 1 “.*\.aliens\.*”, a zone
> file “movie.example.com.” will be created. So traffic router could only
> serve DNS request for “*.movie.example.com”. Does this mean “
> aliens.movie.example.com” will be a CNAME for “tr.movie.example.com”? I
> think domain name like “tr.aliens.example.com” could not be resolved by
> Traffic Router, correct?
>
> 2) “we use HOST_REGEXP > 0 as CNAMES which would be domains we are not
> authoritative for and we don't control.”:
> Does this mean the CNAMES are not managed by Traffic Router, and need
> be configured in other DNS servers? If yes, how could that work for HTTPS?
> Take the above example, if DNS query for “tr.aliens.example.com” would be
> response as CNAME of “tr.movie.example.com” by outside DNS server, then
> Traffic Router will response for further DNS query for “
> tr.movie.example.com”. The client will still use “tr.aliens.example.com”
> in the HTTPS request, therefore the SSL certificate will still not work
> since no SSL SAN configured.
>
> Thanks,
> Zhilin
>
>
>
> On 8/29/17, 11:32 PM, "Dave Neuman" <ne...@apache.org> wrote:
>
> This doc states To support CNAMES from domains outside of the
> Traffic
> Control top level DNS domain, enter multiple HOST_REGEXP lines,
> which shows
> that we intended HOST_REGEXP > 0 to be for CNAMES.
>
> http://trafficcontrol.apache.org/docs/latest/admin/traffic_
> ops/using.html?highlight=host_regexp#delivery-service-regexp
>
>
> On Tue, Aug 29, 2017 at 9:29 AM, Dave Neuman <ne...@apache.org>
> wrote:
>
> > Hi Zhilin,
> > Sorry for not responding sooner.
> >
> > I answered your questions inline below. Let me know what other
> questions
> > you have.
> >
> > Thanks,
> > Dave
> >
> > On Mon, Aug 28, 2017 at 8:32 PM, Zhilin Huang (zhilhuan) <
> > zhilhuan@cisco.com> wrote:
> >
> >> Hmm, no response…
> >>
> >> I think I should suppose no one is using multiple subdomains in
> >> production. Please response if I am wrong.
> >>
> >> Thanks,
> >> Zhilin
> >>
> >>
> >> On 8/25/17, 3:12 PM, "Zhilin Huang (zhilhuan)" <
> zhilhuan@cisco.com>
> >> wrote:
> >>
> >> Hi folks,
> >>
> >> The multiple subdomain (HOST_REGEXP) looks not working in
> TC version
> >> we are using. However, after checking the code in latest master
> branch, I
> >> would suspect if this is fully supported:
> >>
> >> 1. Based on the code, Traffic Router may not fully support
> >> HOST_REGEXP with “set_number” not equal 0. The cr-config
> generated will
> >> only include the first HOST_REGEXP into the “domains” field for
> each
> >> delivery service. So the auto-zones will not be generated for
> other
> >> HOST_REGEXP.
> >>
> >
> > Correct, the regex is in the CrConfig but not in the domains
> section. The
> > HOST_REGEXP > 0 is intended (at least the way we use it) for
> CNAMEs on
> > other domains. Since the CNAMEs are not on the domain the TR is
> > authoritative for, the TR cannot manage zones for them.
> >
> >
> >>
> >> 2. For HTTPS delivery service, the SSL certificate will
> only be
> >> generated for the first HOST_REGEXP.
> >>
> >
> > Correct, again we use HOST_REGEXP > 0 as CNAMES which would be
> domains we
> > are not authoritative for and we don't control.
> >
> >
> >> Have anyone of you are using multiple HOST_REGEXP in your
> delivery
> >> services? Please correct me if my understanding is wrong.
> >>
> >> If we want to fully support multiple subdomain
> (HOST_REGEXP), should
> >> we do:
> >>
> >> For item 1) above, expand all HOST_REGEXP and add into
> “domains”
> >> field for each delivery service in “cr-config”. Is there any
> special reason
> >> to only include the first one?
> >>
> >
> > Yes, we put CNAMEs in this field so TR could not be
> authoritative for
> > those zones. You would need to do some check to make sure that
> TR can
> > actually manage the zone before adding including it in the
> domains section.
> >
> >
> >>
> >> For item 2) above, add SAN in SSL certificate for all
> HOST_REGEXP
> >> other than the first one (set_number == 0)?
> >>
> >
> > See above.
> >
> >
> >> Thanks,
> >> Zhilin
> >>
> >>
> >>
> >>
> >>
> >
>
>
>
>
>
Re: Is multiple subdomains fully supported?
Posted by Dave Neuman <ne...@apache.org>.
Hey Zhilin,
The HOST_REGEXP > 0 is not used the same as HOST_REGEXP = 0. I understand
this is confusing, but it is what it is. We should probably get a ticket
in to change the behavior or wording so that it is less confusing.
The HOST_REGEXP > 0 is meant to be a CNAME. So, if you have a CDN with the
domain name `example.com` and a HOST_REGEXP 0 of `.*\.movies\.*` you could
have a HOST_REGEXP 1 of `movies.foo.bar.com` which will be a CNAME to `
movies.example.com`. This will need to be configured in a different DNS
server (the one for `bar.com`) and will also need to be a SAN in the DS
certificate. Then when the client looks up `different.domain.com` they
will be pointed at `tr.movies.example.com` and TR will do the right thing.
I hope that helps? If not, let me know.
Thanks,
Dave
On Tue, Aug 29, 2017 at 10:52 PM, Zhilin Huang (zhilhuan) <
zhilhuan@cisco.com> wrote:
> BTW, would you mind to give an example on how you are using HOST_REGEXP >
> 0 in your production?
>
> We thought HOST_REGEXP > 0 should be very similar to HOST_REGEXP = 0, but
> sounds like it is not the case.
>
> Thanks,
> Zhilin
>
>
> On 8/30/17, 12:46 PM, "Zhilin Huang (zhilhuan)" <zh...@cisco.com>
> wrote:
>
> Hi Dave,
>
> Thanks a lot for your response!
>
> Sorry, I am not quite catch up with you. I am still confused about how
> HOST_REGEXP will work in the production, may need more clarification:
>
> 1) “To support CNAMES from domains outside of the Traffic Control top
> level DNS domain, enter multiple HOST_REGEXP lines”:
>
> What does this mean about “outside of the Traffic Control top level
> DNS domain”, will the CNAME still be response by Traffic Router?
>
> If yes, then looks like it could only work to replace “tr” or “edge”
> field. For example, a CDN with domain name “example.com”, and DS with
> HOST_REGEXP 0 “.*\.movie\..*” and HOST_REGEXP 1 “.*\.aliens\.*”, a zone
> file “movie.example.com.” will be created. So traffic router could only
> serve DNS request for “*.movie.example.com”. Does this mean “
> aliens.movie.example.com” will be a CNAME for “tr.movie.example.com”? I
> think domain name like “tr.aliens.example.com” could not be resolved by
> Traffic Router, correct?
>
> 2) “we use HOST_REGEXP > 0 as CNAMES which would be domains we are not
> authoritative for and we don't control.”:
> Does this mean the CNAMES are not managed by Traffic Router, and need
> be configured in other DNS servers? If yes, how could that work for HTTPS?
> Take the above example, if DNS query for “tr.aliens.example.com” would be
> response as CNAME of “tr.movie.example.com” by outside DNS server, then
> Traffic Router will response for further DNS query for “
> tr.movie.example.com”. The client will still use “tr.aliens.example.com”
> in the HTTPS request, therefore the SSL certificate will still not work
> since no SSL SAN configured.
>
> Thanks,
> Zhilin
>
>
>
> On 8/29/17, 11:32 PM, "Dave Neuman" <ne...@apache.org> wrote:
>
> This doc states To support CNAMES from domains outside of the
> Traffic
> Control top level DNS domain, enter multiple HOST_REGEXP lines,
> which shows
> that we intended HOST_REGEXP > 0 to be for CNAMES.
>
> http://trafficcontrol.apache.org/docs/latest/admin/traffic_
> ops/using.html?highlight=host_regexp#delivery-service-regexp
>
>
> On Tue, Aug 29, 2017 at 9:29 AM, Dave Neuman <ne...@apache.org>
> wrote:
>
> > Hi Zhilin,
> > Sorry for not responding sooner.
> >
> > I answered your questions inline below. Let me know what other
> questions
> > you have.
> >
> > Thanks,
> > Dave
> >
> > On Mon, Aug 28, 2017 at 8:32 PM, Zhilin Huang (zhilhuan) <
> > zhilhuan@cisco.com> wrote:
> >
> >> Hmm, no response…
> >>
> >> I think I should suppose no one is using multiple subdomains in
> >> production. Please response if I am wrong.
> >>
> >> Thanks,
> >> Zhilin
> >>
> >>
> >> On 8/25/17, 3:12 PM, "Zhilin Huang (zhilhuan)" <
> zhilhuan@cisco.com>
> >> wrote:
> >>
> >> Hi folks,
> >>
> >> The multiple subdomain (HOST_REGEXP) looks not working in
> TC version
> >> we are using. However, after checking the code in latest master
> branch, I
> >> would suspect if this is fully supported:
> >>
> >> 1. Based on the code, Traffic Router may not fully support
> >> HOST_REGEXP with “set_number” not equal 0. The cr-config
> generated will
> >> only include the first HOST_REGEXP into the “domains” field for
> each
> >> delivery service. So the auto-zones will not be generated for
> other
> >> HOST_REGEXP.
> >>
> >
> > Correct, the regex is in the CrConfig but not in the domains
> section. The
> > HOST_REGEXP > 0 is intended (at least the way we use it) for
> CNAMEs on
> > other domains. Since the CNAMEs are not on the domain the TR is
> > authoritative for, the TR cannot manage zones for them.
> >
> >
> >>
> >> 2. For HTTPS delivery service, the SSL certificate will
> only be
> >> generated for the first HOST_REGEXP.
> >>
> >
> > Correct, again we use HOST_REGEXP > 0 as CNAMES which would be
> domains we
> > are not authoritative for and we don't control.
> >
> >
> >> Have anyone of you are using multiple HOST_REGEXP in your
> delivery
> >> services? Please correct me if my understanding is wrong.
> >>
> >> If we want to fully support multiple subdomain
> (HOST_REGEXP), should
> >> we do:
> >>
> >> For item 1) above, expand all HOST_REGEXP and add into
> “domains”
> >> field for each delivery service in “cr-config”. Is there any
> special reason
> >> to only include the first one?
> >>
> >
> > Yes, we put CNAMEs in this field so TR could not be
> authoritative for
> > those zones. You would need to do some check to make sure that
> TR can
> > actually manage the zone before adding including it in the
> domains section.
> >
> >
> >>
> >> For item 2) above, add SAN in SSL certificate for all
> HOST_REGEXP
> >> other than the first one (set_number == 0)?
> >>
> >
> > See above.
> >
> >
> >> Thanks,
> >> Zhilin
> >>
> >>
> >>
> >>
> >>
> >
>
>
>
>
>
Re: Is multiple subdomains fully supported?
Posted by "Zhilin Huang (zhilhuan)" <zh...@cisco.com>.
BTW, would you mind to give an example on how you are using HOST_REGEXP > 0 in your production?
We thought HOST_REGEXP > 0 should be very similar to HOST_REGEXP = 0, but sounds like it is not the case.
Thanks,
Zhilin
On 8/30/17, 12:46 PM, "Zhilin Huang (zhilhuan)" <zh...@cisco.com> wrote:
Hi Dave,
Thanks a lot for your response!
Sorry, I am not quite catch up with you. I am still confused about how HOST_REGEXP will work in the production, may need more clarification:
1) “To support CNAMES from domains outside of the Traffic Control top level DNS domain, enter multiple HOST_REGEXP lines”:
What does this mean about “outside of the Traffic Control top level DNS domain”, will the CNAME still be response by Traffic Router?
If yes, then looks like it could only work to replace “tr” or “edge” field. For example, a CDN with domain name “example.com”, and DS with HOST_REGEXP 0 “.*\.movie\..*” and HOST_REGEXP 1 “.*\.aliens\.*”, a zone file “movie.example.com.” will be created. So traffic router could only serve DNS request for “*.movie.example.com”. Does this mean “aliens.movie.example.com” will be a CNAME for “tr.movie.example.com”? I think domain name like “tr.aliens.example.com” could not be resolved by Traffic Router, correct?
2) “we use HOST_REGEXP > 0 as CNAMES which would be domains we are not authoritative for and we don't control.”:
Does this mean the CNAMES are not managed by Traffic Router, and need be configured in other DNS servers? If yes, how could that work for HTTPS? Take the above example, if DNS query for “tr.aliens.example.com” would be response as CNAME of “tr.movie.example.com” by outside DNS server, then Traffic Router will response for further DNS query for “tr.movie.example.com”. The client will still use “tr.aliens.example.com” in the HTTPS request, therefore the SSL certificate will still not work since no SSL SAN configured.
Thanks,
Zhilin
On 8/29/17, 11:32 PM, "Dave Neuman" <ne...@apache.org> wrote:
This doc states To support CNAMES from domains outside of the Traffic
Control top level DNS domain, enter multiple HOST_REGEXP lines, which shows
that we intended HOST_REGEXP > 0 to be for CNAMES.
http://trafficcontrol.apache.org/docs/latest/admin/traffic_ops/using.html?highlight=host_regexp#delivery-service-regexp
On Tue, Aug 29, 2017 at 9:29 AM, Dave Neuman <ne...@apache.org> wrote:
> Hi Zhilin,
> Sorry for not responding sooner.
>
> I answered your questions inline below. Let me know what other questions
> you have.
>
> Thanks,
> Dave
>
> On Mon, Aug 28, 2017 at 8:32 PM, Zhilin Huang (zhilhuan) <
> zhilhuan@cisco.com> wrote:
>
>> Hmm, no response…
>>
>> I think I should suppose no one is using multiple subdomains in
>> production. Please response if I am wrong.
>>
>> Thanks,
>> Zhilin
>>
>>
>> On 8/25/17, 3:12 PM, "Zhilin Huang (zhilhuan)" <zh...@cisco.com>
>> wrote:
>>
>> Hi folks,
>>
>> The multiple subdomain (HOST_REGEXP) looks not working in TC version
>> we are using. However, after checking the code in latest master branch, I
>> would suspect if this is fully supported:
>>
>> 1. Based on the code, Traffic Router may not fully support
>> HOST_REGEXP with “set_number” not equal 0. The cr-config generated will
>> only include the first HOST_REGEXP into the “domains” field for each
>> delivery service. So the auto-zones will not be generated for other
>> HOST_REGEXP.
>>
>
> Correct, the regex is in the CrConfig but not in the domains section. The
> HOST_REGEXP > 0 is intended (at least the way we use it) for CNAMEs on
> other domains. Since the CNAMEs are not on the domain the TR is
> authoritative for, the TR cannot manage zones for them.
>
>
>>
>> 2. For HTTPS delivery service, the SSL certificate will only be
>> generated for the first HOST_REGEXP.
>>
>
> Correct, again we use HOST_REGEXP > 0 as CNAMES which would be domains we
> are not authoritative for and we don't control.
>
>
>> Have anyone of you are using multiple HOST_REGEXP in your delivery
>> services? Please correct me if my understanding is wrong.
>>
>> If we want to fully support multiple subdomain (HOST_REGEXP), should
>> we do:
>>
>> For item 1) above, expand all HOST_REGEXP and add into “domains”
>> field for each delivery service in “cr-config”. Is there any special reason
>> to only include the first one?
>>
>
> Yes, we put CNAMEs in this field so TR could not be authoritative for
> those zones. You would need to do some check to make sure that TR can
> actually manage the zone before adding including it in the domains section.
>
>
>>
>> For item 2) above, add SAN in SSL certificate for all HOST_REGEXP
>> other than the first one (set_number == 0)?
>>
>
> See above.
>
>
>> Thanks,
>> Zhilin
>>
>>
>>
>>
>>
>
Re: Is multiple subdomains fully supported?
Posted by "Zhilin Huang (zhilhuan)" <zh...@cisco.com>.
Hi Dave,
Thanks a lot for your response!
Sorry, I am not quite catch up with you. I am still confused about how HOST_REGEXP will work in the production, may need more clarification:
1) “To support CNAMES from domains outside of the Traffic Control top level DNS domain, enter multiple HOST_REGEXP lines”:
What does this mean about “outside of the Traffic Control top level DNS domain”, will the CNAME still be response by Traffic Router?
If yes, then looks like it could only work to replace “tr” or “edge” field. For example, a CDN with domain name “example.com”, and DS with HOST_REGEXP 0 “.*\.movie\..*” and HOST_REGEXP 1 “.*\.aliens\.*”, a zone file “movie.example.com.” will be created. So traffic router could only serve DNS request for “*.movie.example.com”. Does this mean “aliens.movie.example.com” will be a CNAME for “tr.movie.example.com”? I think domain name like “tr.aliens.example.com” could not be resolved by Traffic Router, correct?
2) “we use HOST_REGEXP > 0 as CNAMES which would be domains we are not authoritative for and we don't control.”:
Does this mean the CNAMES are not managed by Traffic Router, and need be configured in other DNS servers? If yes, how could that work for HTTPS? Take the above example, if DNS query for “tr.aliens.example.com” would be response as CNAME of “tr.movie.example.com” by outside DNS server, then Traffic Router will response for further DNS query for “tr.movie.example.com”. The client will still use “tr.aliens.example.com” in the HTTPS request, therefore the SSL certificate will still not work since no SSL SAN configured.
Thanks,
Zhilin
On 8/29/17, 11:32 PM, "Dave Neuman" <ne...@apache.org> wrote:
This doc states To support CNAMES from domains outside of the Traffic
Control top level DNS domain, enter multiple HOST_REGEXP lines, which shows
that we intended HOST_REGEXP > 0 to be for CNAMES.
http://trafficcontrol.apache.org/docs/latest/admin/traffic_ops/using.html?highlight=host_regexp#delivery-service-regexp
On Tue, Aug 29, 2017 at 9:29 AM, Dave Neuman <ne...@apache.org> wrote:
> Hi Zhilin,
> Sorry for not responding sooner.
>
> I answered your questions inline below. Let me know what other questions
> you have.
>
> Thanks,
> Dave
>
> On Mon, Aug 28, 2017 at 8:32 PM, Zhilin Huang (zhilhuan) <
> zhilhuan@cisco.com> wrote:
>
>> Hmm, no response…
>>
>> I think I should suppose no one is using multiple subdomains in
>> production. Please response if I am wrong.
>>
>> Thanks,
>> Zhilin
>>
>>
>> On 8/25/17, 3:12 PM, "Zhilin Huang (zhilhuan)" <zh...@cisco.com>
>> wrote:
>>
>> Hi folks,
>>
>> The multiple subdomain (HOST_REGEXP) looks not working in TC version
>> we are using. However, after checking the code in latest master branch, I
>> would suspect if this is fully supported:
>>
>> 1. Based on the code, Traffic Router may not fully support
>> HOST_REGEXP with “set_number” not equal 0. The cr-config generated will
>> only include the first HOST_REGEXP into the “domains” field for each
>> delivery service. So the auto-zones will not be generated for other
>> HOST_REGEXP.
>>
>
> Correct, the regex is in the CrConfig but not in the domains section. The
> HOST_REGEXP > 0 is intended (at least the way we use it) for CNAMEs on
> other domains. Since the CNAMEs are not on the domain the TR is
> authoritative for, the TR cannot manage zones for them.
>
>
>>
>> 2. For HTTPS delivery service, the SSL certificate will only be
>> generated for the first HOST_REGEXP.
>>
>
> Correct, again we use HOST_REGEXP > 0 as CNAMES which would be domains we
> are not authoritative for and we don't control.
>
>
>> Have anyone of you are using multiple HOST_REGEXP in your delivery
>> services? Please correct me if my understanding is wrong.
>>
>> If we want to fully support multiple subdomain (HOST_REGEXP), should
>> we do:
>>
>> For item 1) above, expand all HOST_REGEXP and add into “domains”
>> field for each delivery service in “cr-config”. Is there any special reason
>> to only include the first one?
>>
>
> Yes, we put CNAMEs in this field so TR could not be authoritative for
> those zones. You would need to do some check to make sure that TR can
> actually manage the zone before adding including it in the domains section.
>
>
>>
>> For item 2) above, add SAN in SSL certificate for all HOST_REGEXP
>> other than the first one (set_number == 0)?
>>
>
> See above.
>
>
>> Thanks,
>> Zhilin
>>
>>
>>
>>
>>
>
Re: Is multiple subdomains fully supported?
Posted by Dave Neuman <ne...@apache.org>.
This doc states To support CNAMES from domains outside of the Traffic
Control top level DNS domain, enter multiple HOST_REGEXP lines, which shows
that we intended HOST_REGEXP > 0 to be for CNAMES.
http://trafficcontrol.apache.org/docs/latest/admin/traffic_ops/using.html?highlight=host_regexp#delivery-service-regexp
On Tue, Aug 29, 2017 at 9:29 AM, Dave Neuman <ne...@apache.org> wrote:
> Hi Zhilin,
> Sorry for not responding sooner.
>
> I answered your questions inline below. Let me know what other questions
> you have.
>
> Thanks,
> Dave
>
> On Mon, Aug 28, 2017 at 8:32 PM, Zhilin Huang (zhilhuan) <
> zhilhuan@cisco.com> wrote:
>
>> Hmm, no response…
>>
>> I think I should suppose no one is using multiple subdomains in
>> production. Please response if I am wrong.
>>
>> Thanks,
>> Zhilin
>>
>>
>> On 8/25/17, 3:12 PM, "Zhilin Huang (zhilhuan)" <zh...@cisco.com>
>> wrote:
>>
>> Hi folks,
>>
>> The multiple subdomain (HOST_REGEXP) looks not working in TC version
>> we are using. However, after checking the code in latest master branch, I
>> would suspect if this is fully supported:
>>
>> 1. Based on the code, Traffic Router may not fully support
>> HOST_REGEXP with “set_number” not equal 0. The cr-config generated will
>> only include the first HOST_REGEXP into the “domains” field for each
>> delivery service. So the auto-zones will not be generated for other
>> HOST_REGEXP.
>>
>
> Correct, the regex is in the CrConfig but not in the domains section. The
> HOST_REGEXP > 0 is intended (at least the way we use it) for CNAMEs on
> other domains. Since the CNAMEs are not on the domain the TR is
> authoritative for, the TR cannot manage zones for them.
>
>
>>
>> 2. For HTTPS delivery service, the SSL certificate will only be
>> generated for the first HOST_REGEXP.
>>
>
> Correct, again we use HOST_REGEXP > 0 as CNAMES which would be domains we
> are not authoritative for and we don't control.
>
>
>> Have anyone of you are using multiple HOST_REGEXP in your delivery
>> services? Please correct me if my understanding is wrong.
>>
>> If we want to fully support multiple subdomain (HOST_REGEXP), should
>> we do:
>>
>> For item 1) above, expand all HOST_REGEXP and add into “domains”
>> field for each delivery service in “cr-config”. Is there any special reason
>> to only include the first one?
>>
>
> Yes, we put CNAMEs in this field so TR could not be authoritative for
> those zones. You would need to do some check to make sure that TR can
> actually manage the zone before adding including it in the domains section.
>
>
>>
>> For item 2) above, add SAN in SSL certificate for all HOST_REGEXP
>> other than the first one (set_number == 0)?
>>
>
> See above.
>
>
>> Thanks,
>> Zhilin
>>
>>
>>
>>
>>
>
Re: Is multiple subdomains fully supported?
Posted by Dave Neuman <ne...@apache.org>.
Hi Zhilin,
Sorry for not responding sooner.
I answered your questions inline below. Let me know what other questions
you have.
Thanks,
Dave
On Mon, Aug 28, 2017 at 8:32 PM, Zhilin Huang (zhilhuan) <zhilhuan@cisco.com
> wrote:
> Hmm, no response…
>
> I think I should suppose no one is using multiple subdomains in
> production. Please response if I am wrong.
>
> Thanks,
> Zhilin
>
>
> On 8/25/17, 3:12 PM, "Zhilin Huang (zhilhuan)" <zh...@cisco.com> wrote:
>
> Hi folks,
>
> The multiple subdomain (HOST_REGEXP) looks not working in TC version
> we are using. However, after checking the code in latest master branch, I
> would suspect if this is fully supported:
>
> 1. Based on the code, Traffic Router may not fully support HOST_REGEXP
> with “set_number” not equal 0. The cr-config generated will only include
> the first HOST_REGEXP into the “domains” field for each delivery service.
> So the auto-zones will not be generated for other HOST_REGEXP.
>
Correct, the regex is in the CrConfig but not in the domains section. The
HOST_REGEXP > 0 is intended (at least the way we use it) for CNAMEs on
other domains. Since the CNAMEs are not on the domain the TR is
authoritative for, the TR cannot manage zones for them.
>
> 2. For HTTPS delivery service, the SSL certificate will only be
> generated for the first HOST_REGEXP.
>
Correct, again we use HOST_REGEXP > 0 as CNAMES which would be domains we
are not authoritative for and we don't control.
> Have anyone of you are using multiple HOST_REGEXP in your delivery
> services? Please correct me if my understanding is wrong.
>
> If we want to fully support multiple subdomain (HOST_REGEXP), should
> we do:
>
> For item 1) above, expand all HOST_REGEXP and add into “domains” field
> for each delivery service in “cr-config”. Is there any special reason to
> only include the first one?
>
Yes, we put CNAMEs in this field so TR could not be authoritative for those
zones. You would need to do some check to make sure that TR can actually
manage the zone before adding including it in the domains section.
>
> For item 2) above, add SAN in SSL certificate for all HOST_REGEXP
> other than the first one (set_number == 0)?
>
See above.
> Thanks,
> Zhilin
>
>
>
>
>
Re: Is multiple subdomains fully supported?
Posted by "Zhilin Huang (zhilhuan)" <zh...@cisco.com>.
Hmm, no response…
I think I should suppose no one is using multiple subdomains in production. Please response if I am wrong.
Thanks,
Zhilin
On 8/25/17, 3:12 PM, "Zhilin Huang (zhilhuan)" <zh...@cisco.com> wrote:
Hi folks,
The multiple subdomain (HOST_REGEXP) looks not working in TC version we are using. However, after checking the code in latest master branch, I would suspect if this is fully supported:
1. Based on the code, Traffic Router may not fully support HOST_REGEXP with “set_number” not equal 0. The cr-config generated will only include the first HOST_REGEXP into the “domains” field for each delivery service. So the auto-zones will not be generated for other HOST_REGEXP.
2. For HTTPS delivery service, the SSL certificate will only be generated for the first HOST_REGEXP.
Have anyone of you are using multiple HOST_REGEXP in your delivery services? Please correct me if my understanding is wrong.
If we want to fully support multiple subdomain (HOST_REGEXP), should we do:
For item 1) above, expand all HOST_REGEXP and add into “domains” field for each delivery service in “cr-config”. Is there any special reason to only include the first one?
For item 2) above, add SAN in SSL certificate for all HOST_REGEXP other than the first one (set_number == 0)?
Thanks,
Zhilin