Securing WP logins for multiple blogs/domains on one Linode
My intent was to secure the actual login to WP, either via the web admin page or my blog editor, MarsEdit. Setting up an SSL cert seemed to be the right way to go for that, but if I'm reading the Linode Library guide correctly, and especially after trying to configure two different virtual hosts in Apache to the same cert, I think I either need to pay for an additional IP address for each domain/WP instance I want to secure, or find a different way to solve this problem.
So I started trying to setup an SSH tunnel - thinking I could point either my browser or Marsedit to localhost:8081 to point to domain1.com, localhost:8082 to point to domain2.com, etc.
But that doesn't seem to work either, obviously, as each of those domains resolve to the same IP address, and even though Apache redirects http requests to domain1.com to /srv/www/domain1.com/publichtml/ and domain2.com to /srv/www/domain2.com/publichtml/ on the server - when I'm tunneling through to port 22, that redirection doesn't take place.
Do I just need to pony up for multiple IP addresses whether I try to do SSL or an SSH tunnel? I wouldn't mind spending the extra money, but I'd rather not burn yet another IPv4 address (2 extra today, more in the future) if I don't have to.
Thanks for any suggestions!
5 Replies
@mikestanley:
So I started trying to setup an SSH tunnel - thinking I could point either my browser or Marsedit to localhost:8081 to point to domain1.com, localhost:8082 to point to domain2.com, etc.
But that doesn't seem to work either, obviously, as each of those domains resolve to the same IP address, and even though Apache redirects http requests to domain1.com to /srv/www/domain1.com/publichtml/ and domain2.com to /srv/www/domain2.com/publichtml/ on the server - when I'm tunneling through to port 22, that redirection doesn't take place.
Not sure what you mean by this, but you shouldn't have to bind one local port to each of your websites. The virtual host is determined by the "Host:" header of your HTTP request, not the IP address or port of the server. Unless you set up old-fashioned IP-based virtual hosting, you should be able to point everything at localhost:8080 (forwarded to remote localhost:80).
But what is more likely is that WordPress is doing stupid things, as usual. Last time I checked, WordPress remembered the exact hostname where it was first installed. If you tried to access the same blog using any other hostname, WordPress would automatically redirect you to the hostname it remembered. In addition, all the navigation links are absolute. Somebody in the WordPress team probably thought that this was good for SEO or something. This stupid "feature" was a royal pain in the ass whenever migrating WordPress blogs from one host to another. It's also the reason WordPress doesn't play nicely with SSL. I haven't checked whether WordPress 3.x does this too, but I wouldn't be surprised if the same feature is messing up your fragile redirection scheme.
If you're the only person who needs to log into these blogs securely, the easiest way to do it is to use an SSH tunnel as a SOCKS proxy. No need to bind individual ports to individual sites, no need to change anything on the server side. Just set up dynamic port forwarding (the "-D" switch in the command line, or select "Dynamic" in Putty), and configure your web browser to use the forwarded local port as a SOCKS proxy. Browse the web as usual, and everything (except some Flash content) goes through the tunnel.
I'm admittedly out of my element here, so I'm probably doing a bad job of describing what I'm trying, and how it is failing.
Here's the command line for the tunnels I'm making:
ssh -N -p 22 -c 3des user@MyLinodeIP -L 8081/
ssh -N -p 22 -c 3des user@MyLinodeIP -L 8082/
I don't think WordPress is even entering the picture because both of those tunnels direct me to the same website - the default Apache page. Just to make sure I wasn't ending up in the appropriate virtual host document paths (where WordPress is installed) I created a file test123.php at the default Apache document root and I can hit that page by going to both localhost:8081 and localhost:8082.
multiple HTTPS sites on the same host:port
(I am officially at the "SNI, IPv6, or GTFO" point as far as HTTPS goes. I should start an online campaign.)
@mikestanley:
ssh -N -p 22 -c 3des user@MyLinodeIP -L 8081/
www.domain1.com/80 ssh -N -p 22 -c 3des user@MyLinodeIP -L 8082/
www.domain2.com/80
The reason this doesn't work is because Apache will never know the hostnames that you specified there. Those hostnames are only used by SSH to decide which IP and port to forward your requests to. As far as Apache is concerned, you're trying to access localhost. (Remember, domain names only exist for human convenience. Machines will convert them to IP addresses as soon as they get the opportunity.) The SOCKS proxy bypasses all of these issues.
Also, you don't need to specify the 3des cipher, because it's the default anyway. If you want to use a really really strong cipher, use blowfish instead.
As @hoopycat said, SNI is also an option if it's just you who needs secure access. Everything except IE 6-8 (on WinXP) suppots SNI nowadays. But whether WordPress will cooperate is anybody's guess.