views:

292

answers:

2

I built a LAMP web application that let's users create their own profile page where they can upload their resume and portfolio. The url for a person's profile will be something like

http://jobbank.com/user/johndoe

John Doe registers the domain name http://johndoefreelancer.com and he wants it to point to http://jobbank.com/user/johndoe. Anyone who visits johndoefreelancer.com should not be aware that it's driven by http://jobbank.com/user/johndoe. This means that the browser url should persistently show addresses such as:

http://johndoefreelancer.com/aboutme (really points to jobbank.com/user/johndoe/aboutme) http://johndoefreelancer.com/portfolio (really points to jobbank.com/user/johndoe/portfolio)

Additionally, clicking on any links [a href=""] should keep you at johndoefreelancer.com instead of sending you to jobbank.com.

My question is, what is the best way to achieve this?

I'm considering: 1) Give instructions to users on how to domain forward with masking

2) Instruct users to fillout the field $homeUrl in their User Profile information, which is saved to the database

3) In my PHP code, if $homeUrl exists, replace all [a href="$_SERVER['HTTP_HOST']"] with [a href="$homeUrl"]

Is this the right approach? Is there a better way?

+1  A: 

An alternative approach would be to tell your users to point their domains to your IP and set them up as name-based virtual hosts. The benefits are:

  1. It's much easier for the user to set up then forward with masking (the latter may not even be possible depending on registrar)
  2. You don't have to deal with URL rewriting in your PHP code.

This would be easier to setup if you did not have to use /user/johndoe prefix for your URLs (which you don't really need to because you can do a domain lookup in your code to determine user id), but is possible with the prefix as well - it's just that mod_rewrite setup would have to be more involved in that case (you'll need to do it per domain).

ChssPly76
RE: #1 - what's wrong with CNAME dns records for this purpose? Name based virtual hosts are messy to maintain with the kind of usage he's looking for, not to mention security would be a nightmare. From what I understand, he's looking for an automated way to achieve the above (without him having to approve each and every one of these).
Lior Cohen
RE: /user/johndoe, I agree. There's no point in doing these regardless of how the domains are set up. +1 here, -1 above = 0.
Lior Cohen
My understanding is that OP's users are buying their domains elsewhere. How is CNAME going to help? Name-based virtual host setup is easily automated in DNS; I'm not sure what you mean by "security nightmare" - it's not like OP's users are going to be involved in any way. The only somewhat messy thing here is mod_rewrite setup (IF he goes with /user/johndoe scheme).
ChssPly76
As the owners of the domain they have bought, they have the ability to set up CNAME records that point from their domain to another domain. E.g. sub.mydomain.com -> jobbank.com. Having a large amount of vhosts that are created in an automated fashion = possible performance penalty. Such a performance penalty could potentially be used for attacks. vhosts are simply not meant to be used that way. A more scalable approach would be using mod rewrite, minus the /user/johndoe scheme, to redirect these requests to a single, controlled entry point (php script, in this case).
Lior Cohen
Re: CNAME - fair enough, though I honestly don't see much difference between that and using A to point to an IP. I'm not so sure about "vhost performance penalty", though - where would that be incurred? In BIND? In Apache? Can you provide a link that would back that up? Same with "potentially be used for attacks" - if someone's going to instigate DOS attack, vhosts or no vhosts are unlikely to be a deciding factor.
ChssPly76
the only plus point of a CNAME would be to let it point to eg. www.domainname.tld. Which is a good thing if domainname.tld has to change its ip, no customer has to change his dns setting.
Rufinus
In Apache. The amount of ram used by apache grows with the amount of vhosts, unless wildcards or SQL based vhosts are used (google around for these). Without using the options above, restarting apache would be required to activate the newly added vhosts. Security != wildcards in general. I suppose you are right about vhosts not being a parameter when DOS attacks are always available, a good point there. See the next comment.
Lior Cohen
Another consideration is that using vhosts, an additional "headache" is added in the form of having to handle dynamic creation. A much cleaner approach would be handling all of this using a simple .htaccess file with mod_rewrite and a PHP script as entry point. No need to handle apache, vhosts, wildcards and other vegetables. More predictable = more secure, scalable and easier to implement.
Lior Cohen
@Rufinus - you're right. Just to clarify the whole "vhost" issue - I didn't mean creating individual `<VirtualHost>` entry for every domain name. I meant using `NameVirtualHost *:80` directive and adding a `ServerAlias` / rewrite rules for each domain.
ChssPly76
@Lior - I type way to slow :-( I've clarified my point re: vhosts above. You're right with regards to .htaccess - it's definitely better as there's no need to restart apache.
ChssPly76
@Rufinus: +1 for CNAME remark above.
Lior Cohen
Thanks everyone, I've never worked with vhost before, so I'll see if my 3rd party webhosting (it's on a shared server) will allow it.
John
+1  A: 

Hi,

The only practical way i could think of in the moment is:

  1. add a field in the users Profile for a domainname

  2. tell the users to let point the DNS host entry to your IP (or the main domainname of you)

  3. create a virtual host which is the FIRST of alle vhosts you might have. (*)

  4. in this virtual host create an index.php script which looks up the requested domainname in the user profile and display the page.

You might need to implement a switch for the urls you print on the page. eg. if you came over the special index page use / as "base href", in all other cases /user/username is "base href"

*) If apache gets a request for a name it dont know (because its no ServerName|Alias of an vhost, it uses the first Vhost as fallback.

Rufinus