Question about VIP SSL

[johnP]

VIP SSL for custom domains, as I understand, means Virtual IP. I had a domain foo.com and recently activated VIP SSL for the domain.

Question:  

a.  Am I correct in understanding that httpS://foo.com will always resolve to one IP Address?

b.  Does that mean that http://foo.com  will also resolve to that same IP Address?

c.  Is it possible that customers may have  IP_orig DNS cached, and the cache has not updated recently (due to power outages on the East Coast, for example), so httpS is trying to resolve to the old IP and failing?

[Barry Hunter]

On Thu, Jul 5, 2012 at 8:33 PM, johnP <jo...@thinkwave.com> wrote:
> VIP SSL for custom domains, as I understand, means Virtual IP. I had a
> domain foo.com and recently activated VIP SSL for the domain.
>
> Question:
>
> a. Am I correct in understanding that httpS://foo.com will always resolve
> to one IP Address?
> b. Does that mean that http://foo.com will also resolve to that same IP
> Address?

DNS is not protocol specific. So foo.com will resolve the same.

On a 'naked domain' like that, CNAMEs dont work (well) so, you must be
using an actual IP address (ie a A record) - so it resolve to what you
set in your DNS settings.

Because of that, not sure how good a idea it is to use App Engine with
a naked domain. Google Apps, does allow you to however setup
redirection on the naked domain.


Google will almost certainly be running a standard HTTP (port 80)
proxy on your VIP as well as a HTTPS (port 443) proxy.

Or if Google are managing your DNS for you, they could be managing the
A record for the domain, so its the same as the CNAME. (I dont know if
Google offer this)

> c. Is it possible that customers may have IP_orig DNS cached, and the
> cache has not updated recently (due to power outages on the East Coast, for
> example), so httpS is trying to resolve to the old IP and failing?

Well this is where using the CNAME would be good, the final IP should
have a short TTL, so wont be cached for long. But if Google need to
perform an emergency migration of your IP address, clients should
pickup the new IP relativly quickly.

Or they might be able able to move your IP itself - at routing level,
to an unaffected location.

But really use a CNAME, and let google worry about migrations.

>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Google App Engine" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/google-appengine/-/uSqBKNAOgAUJ.
> To post to this group, send email to google-a...@googlegroups.com.
> To unsubscribe from this group, send email to
> google-appengi...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/google-appengine?hl=en.

[Cayden Meyer]

Hi John,

On 6 July 2012 05:33, johnP <jo...@thinkwave.com> wrote:

Question:  

a.  Am I correct in understanding that httpS://foo.com will always resolve to one IP Address?

When you have a VIP it will often resolve to the one IP Address however at this point we do not guarantee the IP address will remain unchanged. As such we strongly recommend using the CNAME we provide. 

I would recommend using the naked domain redirection provide by Google Apps if you wish to use naked domains.

 

b.  Does that mean that http://foo.com  will also resolve to that same IP Address?

Both HTTPS and HTTP will resolve to the same DNS record, in short yes. 

 

c.  Is it possible that customers may have  IP_orig DNS cached, and the cache has not updated recently (due to power outages on the East Coast, for example), so httpS is trying to resolve to the old IP and failing?

Our infrastructure is designed so that traffic will be routed through the nearest possible data center to where your application is serving. Your application will fail over to a different data center if there are any issues with the data center you are currently serving out of. What this means is that the situation you are talking about should not happen if you are using the CNAME we provide nor should a power outage in one of our data centers cause your application to be unreachable. 

If you use an A record instead and the IP changes for some reason then this would be an issue, this is why we strongly recommend you do not use an A record. 

Cheers,

Cayden Meyer

Product Manager, Google App Engine

[johnP]

Thanks for the response.  We were trying to figure out why one user can access http://www.foo.com but cannot access https://www.foo.com (all other users seem to have no problem).  We recently activated SSL for custom domains.  This user is in a location severely affected by the blackouts.  So I was working through a theory that the user's DNS might be stuck from our pre-ssl days. Maybe their computer clock has been reset.  Dunno :)

> To post to this group, send email to google-appengine@googlegroups.com.

> To unsubscribe from this group, send email to

> google-appengine+unsubscribe@googlegroups.com.

[johnP]

We are using a CName aliased to  ghs.google.com

The expiration time on the record is 15 minutes.

The naked-domain was an error introduced in my wording of the question.  The user (from two locations, from school and from home, in West Virginia) is properly using the www subdomain in the request. In any case, we forward the naked domains at a DNS level.

We initiated SSL on Monday night/Tuesday morning.  There was a flurry of users from that same area in West Virginia having this issue.  We have no reports of other users having the issue.  So I was thinking there might be an ISP that has not refreshed the DNS cache.

johnP

[Iain Wade]

On Fri, Jul 6, 2012 at 10:14 AM, johnP <jo...@thinkwave.com> wrote:
> We are using a CName aliased to ghs.google.com

just to be clear, ghs.google.com is not the VIP CNAME - it is the
shared CNAME which only supports SNI.

VIP CNAMEs are of the form: ghs-svc-https-cXXXX.ghs-ssl.googlehosted.com.

the two services have different network architectures.

> The expiration time on the record is 15 minutes.
>
> The naked-domain was an error introduced in my wording of the question. The
> user (from two locations, from school and from home, in West Virginia) is
> properly using the www subdomain in the request. In any case, we forward the
> naked domains at a DNS level.
>
> We initiated SSL on Monday night/Tuesday morning. There was a flurry of
> users from that same area in West Virginia having this issue. We have no
> reports of other users having the issue. So I was thinking there might be
> an ISP that has not refreshed the DNS cache.

Is it possible that your users are using web browsers which do not
support SNI? (for example MSIE on Windows XP).

If you're paying for a VIP, you will have better compatibility if you
use your personal ghs-svc-https-cXXXX.ghs-ssl.googlehosted.com CNAME
shown in the CPanel.

--Iain

> --
> You received this message because you are subscribed to the Google Groups
> "Google App Engine" group.
> To view this discussion on the web visit

> https://groups.google.com/d/msg/google-appengine/-/tbl2XTSkvyUJ.
>
> To post to this group, send email to google-a...@googlegroups.com.

> To unsubscribe from this group, send email to

> google-appengi...@googlegroups.com.

[johnP]

Iain -

Thank you - your answer resolved my issue.  

johnP

> To post to this group, send email to google-appengine@googlegroups.com.

> To unsubscribe from this group, send email to

> google-appengine+unsubscribe@googlegroups.com.

[拼客爱]

Account Administrator Invitation

 

Invalid Entry

Account owners cannot be assigned as an Account Administrator. Please create a new account and try accepting your invite using your new account.

what's mean??why i can't create a new account with administrator for here.

1 - 1

	Domain Name	Platform	Status	Account Admin	Disk Size	Bandwidth
	iphones-on.com	Linux	Pending Setup	No	10,000 MB	Unlimited

 

To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/ndC4lnQNUSwJ.

To post to this group, send email to google-a...@googlegroups.com.
To unsubscribe from this group, send email to google-appengi...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.

--
技术打造未来，营销开发世界!