Hey Dave, Yes, it is much clearer for me now. Thank you very much for the clarification!
BTW, based on your example, how could we do the configuration? 1) HOST_REGEXP 1 will be: “.*\.foo.bar.com”? Or explicitly “movie.foo.bar.com”? 2) I think currently the certificate generated by Traffic Ops not supported SAN. Does this mean we need to generate the SSL certificate from another place, and paste it to Traffic Ops only? It would be much helpful if we can reword in the document for HOST_REGEXP > 1. How could we open a ticket? Create a github issue? Thanks, Zhilin On 8/31/17, 10:37 PM, "Dave Neuman" <[email protected]> wrote: Hey Zhilin, The HOST_REGEXP > 0 is not used the same as HOST_REGEXP = 0. I understand this is confusing, but it is what it is. We should probably get a ticket in to change the behavior or wording so that it is less confusing. The HOST_REGEXP > 0 is meant to be a CNAME. So, if you have a CDN with the domain name `example.com` and a HOST_REGEXP 0 of `.*\.movies\.*` you could have a HOST_REGEXP 1 of `movies.foo.bar.com` which will be a CNAME to ` movies.example.com`. This will need to be configured in a different DNS server (the one for `bar.com`) and will also need to be a SAN in the DS certificate. Then when the client looks up `different.domain.com` they will be pointed at `tr.movies.example.com` and TR will do the right thing. I hope that helps? If not, let me know. Thanks, Dave On Tue, Aug 29, 2017 at 10:52 PM, Zhilin Huang (zhilhuan) < [email protected]> wrote: > BTW, would you mind to give an example on how you are using HOST_REGEXP > > 0 in your production? > > We thought HOST_REGEXP > 0 should be very similar to HOST_REGEXP = 0, but > sounds like it is not the case. > > Thanks, > Zhilin > > > On 8/30/17, 12:46 PM, "Zhilin Huang (zhilhuan)" <[email protected]> > wrote: > > Hi Dave, > > Thanks a lot for your response! > > Sorry, I am not quite catch up with you. I am still confused about how > HOST_REGEXP will work in the production, may need more clarification: > > 1) “To support CNAMES from domains outside of the Traffic Control top > level DNS domain, enter multiple HOST_REGEXP lines”: > > What does this mean about “outside of the Traffic Control top level > DNS domain”, will the CNAME still be response by Traffic Router? > > If yes, then looks like it could only work to replace “tr” or “edge” > field. For example, a CDN with domain name “example.com”, and DS with > HOST_REGEXP 0 “.*\.movie\..*” and HOST_REGEXP 1 “.*\.aliens\.*”, a zone > file “movie.example.com.” will be created. So traffic router could only > serve DNS request for “*.movie.example.com”. Does this mean “ > aliens.movie.example.com” will be a CNAME for “tr.movie.example.com”? I > think domain name like “tr.aliens.example.com” could not be resolved by > Traffic Router, correct? > > 2) “we use HOST_REGEXP > 0 as CNAMES which would be domains we are not > authoritative for and we don't control.”: > Does this mean the CNAMES are not managed by Traffic Router, and need > be configured in other DNS servers? If yes, how could that work for HTTPS? > Take the above example, if DNS query for “tr.aliens.example.com” would be > response as CNAME of “tr.movie.example.com” by outside DNS server, then > Traffic Router will response for further DNS query for “ > tr.movie.example.com”. The client will still use “tr.aliens.example.com” > in the HTTPS request, therefore the SSL certificate will still not work > since no SSL SAN configured. > > Thanks, > Zhilin > > > > On 8/29/17, 11:32 PM, "Dave Neuman" <[email protected]> wrote: > > This doc states To support CNAMES from domains outside of the > Traffic > Control top level DNS domain, enter multiple HOST_REGEXP lines, > which shows > that we intended HOST_REGEXP > 0 to be for CNAMES. > > http://trafficcontrol.apache.org/docs/latest/admin/traffic_ > ops/using.html?highlight=host_regexp#delivery-service-regexp > > > On Tue, Aug 29, 2017 at 9:29 AM, Dave Neuman <[email protected]> > wrote: > > > Hi Zhilin, > > Sorry for not responding sooner. > > > > I answered your questions inline below. Let me know what other > questions > > you have. > > > > Thanks, > > Dave > > > > On Mon, Aug 28, 2017 at 8:32 PM, Zhilin Huang (zhilhuan) < > > [email protected]> wrote: > > > >> Hmm, no response… > >> > >> I think I should suppose no one is using multiple subdomains in > >> production. Please response if I am wrong. > >> > >> Thanks, > >> Zhilin > >> > >> > >> On 8/25/17, 3:12 PM, "Zhilin Huang (zhilhuan)" < > [email protected]> > >> wrote: > >> > >> Hi folks, > >> > >> The multiple subdomain (HOST_REGEXP) looks not working in > TC version > >> we are using. However, after checking the code in latest master > branch, I > >> would suspect if this is fully supported: > >> > >> 1. Based on the code, Traffic Router may not fully support > >> HOST_REGEXP with “set_number” not equal 0. The cr-config > generated will > >> only include the first HOST_REGEXP into the “domains” field for > each > >> delivery service. So the auto-zones will not be generated for > other > >> HOST_REGEXP. > >> > > > > Correct, the regex is in the CrConfig but not in the domains > section. The > > HOST_REGEXP > 0 is intended (at least the way we use it) for > CNAMEs on > > other domains. Since the CNAMEs are not on the domain the TR is > > authoritative for, the TR cannot manage zones for them. > > > > > >> > >> 2. For HTTPS delivery service, the SSL certificate will > only be > >> generated for the first HOST_REGEXP. > >> > > > > Correct, again we use HOST_REGEXP > 0 as CNAMES which would be > domains we > > are not authoritative for and we don't control. > > > > > >> Have anyone of you are using multiple HOST_REGEXP in your > delivery > >> services? Please correct me if my understanding is wrong. > >> > >> If we want to fully support multiple subdomain > (HOST_REGEXP), should > >> we do: > >> > >> For item 1) above, expand all HOST_REGEXP and add into > “domains” > >> field for each delivery service in “cr-config”. Is there any > special reason > >> to only include the first one? > >> > > > > Yes, we put CNAMEs in this field so TR could not be > authoritative for > > those zones. You would need to do some check to make sure that > TR can > > actually manage the zone before adding including it in the > domains section. > > > > > >> > >> For item 2) above, add SAN in SSL certificate for all > HOST_REGEXP > >> other than the first one (set_number == 0)? > >> > > > > See above. > > > > > >> Thanks, > >> Zhilin > >> > >> > >> > >> > >> > > > > > > >
