[Feature Request] Automate custom domain VHOST support in CSC Cloud #87

New Issue

n4chung · 2022-12-07T12:35:35-05:00

n4chung commented

2022-12-07 12:35:35 -05:00

Currently, creating vhosts with custom domains require manual verification on an individual basis as it's not currently possible to verify a particular user's ownership of a domain name.

A few ideas for domain verification:

Verify using CNAME/TXT DNS record
File upload/host a file at the desired domain/subdomain.

For verifying ownership of an entire domain, it should be sufficient to prove verification for the root of the domain. Verification through CNAME/TXT is probably the best.

For verifying a subdomain (where the user doesn't own the entire domain, eg. third level domains), file upload is likely the only option.

Other Considerations

How long should verification last? Should it be checked periodically? Every 3 months?? And every time a verification is requested (through Pyceo)?
If multiple users use subdomains from the same domain, how would verification work? If they verify subdomains, there shouldn't be a problem. But if one verifies the entire domain, should that user be the only person able to control vhosts from that domain?
Pyceo is currently stateless...

Reference: https://docs.cloud.csclub.uwaterloo.ca/vhosts/

Currently, creating vhosts with custom domains require manual verification on an individual basis as it's not currently possible to verify a particular user's ownership of a domain name. **A few ideas for domain verification**: - Verify using CNAME/TXT DNS record - File upload/host a file at the desired domain/subdomain. For verifying ownership of an entire domain, it should be sufficient to prove verification for the root of the domain. Verification through CNAME/TXT is probably the best. For verifying a subdomain (where the user doesn't own the entire domain, eg. third level domains), file upload is likely the only option. **Other Considerations** - How long should verification last? Should it be checked periodically? Every 3 months?? And every time a verification is requested (through Pyceo)? - If multiple users use subdomains from the same domain, how would verification work? If they verify subdomains, there shouldn't be a problem. But if one verifies the entire domain, should that user be the only person able to control vhosts from that domain? - Pyceo is currently stateless... Reference: https://docs.cloud.csclub.uwaterloo.ca/vhosts/

n4chung changed title from ~~Automate custom domain VHOST support in CSC Cloud~~ to [Feature Request] Automate custom domain VHOST support in CSC Cloud

2022-12-07 17:54:23 -05:00

n4chung commented

2023-01-01 17:30:08 -05:00

To automatically verify vhosts for custom domain names, we need to automatically verify a user's ownership of a domain/subdomain name. If ownership could be proven, then a VHOST record should be created for the user.

Verification Methods:

METHOD #1 (DNS TXT verification):

ceo cloud vhosts code: A unique checksum (SHA256 perhaps?) is generated for a particular user who wishes to prove their ownership of a domain.
A TXT needs to be created at the ROOT of a domain name based on the unique checksum (eg. csc-verification).
ceo cloud vhosts add <custom domain/subdomain> <forwarded ip> Whenever a vhost is created (that requires verification), CEO would query the TXT record before creating the TXT record.

METHOD #2 (File based verification):
tbd...

To automatically verify vhosts for custom domain names, we need to automatically verify a user's ownership of a domain/subdomain name. If ownership could be proven, then a VHOST record should be created for the user. **Verification Methods**: METHOD \#1 (DNS TXT verification): 1. `ceo cloud vhosts code`: A unique checksum (SHA256 perhaps?) is generated for a particular user who wishes to prove their ownership of a domain. 2. A `TXT` needs to be created at the ROOT of a domain name based on the **unique checksum** (eg. `csc-verification`). 3. `ceo cloud vhosts add <custom domain/subdomain> <forwarded ip>` Whenever a vhost is created (that requires verification), CEO would query the TXT record before creating the TXT record. METHOD \#2 (File based verification): tbd...

n4chung commented

2023-01-01 17:33:48 -05:00

Checks need to be added here:
779e35a08e/ceod/model/VHostManager.py (L93)

Checks need to be added here: https://git.csclub.uwaterloo.ca/public/pyceo/src/commit/779e35a08e0d724ffacb7864e0cb490464bc892e/ceod/model/VHostManager.py#L93

y3285wan commented

2023-01-01 17:39:42 -05:00

You could use a long enough uuid when wanting a random string.

For file-based verification, user can upload a file containing a random string, then the ceo can download the file and verify.

You could use a long enough uuid when wanting a random string. For file-based verification, user can upload a file containing a random string, then the ceo can download the file and verify.

n4chung commented

2023-01-01 17:39:47 -05:00

Tests need to be added here:
779e35a08e/tests/ceod/api/test_cloud.py (L90)

Tests need to be added here: https://git.csclub.uwaterloo.ca/public/pyceo/src/commit/779e35a08e0d724ffacb7864e0cb490464bc892e/tests/ceod/api/test_cloud.py#L90

n4chung commented

2023-01-01 17:42:41 -05:00

@y3285wan Yup. For the UUID, it needs to be associated with a particular user. Perhaps it could be generated from the CSC username.

For file-based verification, the same UUID (unique to the user) could be used as well.

@y3285wan Yup. For the UUID, it needs to be associated with a particular user. Perhaps it could be generated from the **CSC username**. For file-based verification, the same UUID (unique to the user) could be used as well.

n4chung referenced this issue

2023-01-06 21:31:41 -05:00

#87: Automate custom domain VHOST registration #89

merenber added the

priority

low

label 2023-10-14 22:18:52 -04:00

e226li referenced this issue

2023-10-23 11:16:33 -04:00

Tests for #89 (addresses #87) #109

Sign in to join this conversation.