[FX.php List] [OFF] FMS13 & SSL?

Dale Bengston dale.bengston at gmail.com
Thu Jul 17 07:22:03 MDT 2014


Kevin has described my scenario almost to the letter.

Dale

On Jul 16, 2014, at 10:51 PM, Kevin Futter <KFutter at sbc.vic.edu.au> wrote:

> Non-FM web server set ups all the way here. We publish a wide variety of
> information across many sites using multiple web servers, to both internal
> and external clients - *some* of which is drawn from FileMaker. Having the
> ability for any authorised site or server to connect to FileMaker and
> effectively use it as a web service has great utility for us. So our web
> servers talk to WPE on the FileMaker server. If there¹s a performance hit,
> the flexibility more than makes up for it. For information that is
> designed from the outset to be published on the web, we use MySQL anyway.
> 
> Kev
> 
> On 17/07/2014 1:30 pm, "Joel Shapiro" <mail at jsfmp.com> wrote:
> 
>> Thanks Chris
>> 
>> I wonder how many CWP solutions out in the world use 2- or 3-machine
>> configs vs 1-machine.  I know of a number of people that had set up
>> 2-machine when the API (& FMI guidelines) first came out but then changed
>> to 1-machine a year or two later to "simplify" things.  And I wonder how
>> many of the multi-machine configs are set up as per FMI and how many use
>> these non-FM web servers.  And I wonder what kind of noticeable
>> performance difference there is between the various setups, especially on
>> sites without a lot of data &/or traffic.
>> 
>> (Anybody here up for a poll?)
>> 
>> Anyway, I wonder.
>> 
>> Best,
>> -Joel
>> 
>> 
>> On Jul 16, 2014, at 7:34 AM, Chris Hansen <chris at iViking.org> wrote:
>> 
>>> Hey Joel,
>>> 
>>> There might be a performance loss since the data being transferred
>>> would be XML (verbose).  Of course, as I don't know the format of the
>>> data is that FileMaker would be passing in the other scenario, it's hard
>>> to surmise exactly what the performance difference would be.  Also, the
>>> various parts of FileMaker server might be designed to take advantage of
>>> living on a single machine (just a guess).  Finally, in my experience,
>>> the bigger data gets, the more likely it is to live on its own,
>>> optimized machine, as searching lots of data non-optimally will be much
>>> slower than transferring a bit of data over the network.
>>> 
>>> At any rate, there are a variety of reasons to use your own web server
>>> rather than FileMaker's, e.g. wider choice of server options (nginx,
>>> linux web servers, apache on windows, etc.), the availability of server
>>> or php modules not available with FileMaker's server version, and so on.
>>> 
>>> Thanks for the update on the SSL process.  My guess is that others may
>>> well run into the problem down-the-line.
>>> 
>>> Best,
>>> 
>>> --Chris
>>> 
>>> On Jul 15, 2014, at 9:22 PM, Joel Shapiro <mail at jsfmp.com> wrote:
>>> 
>>>> Hi Chris
>>>> 
>>>> Thanks for the reply.
>>>> 
>>>> My understanding is that the changes that came w/ FMS13 made it
>>>> hard/impossible to host different domains on one server, so setting up
>>>> FMS as a one-machine config and then using a separate non-FM web
>>>> server, pointing to the FMS server, was a way to get around that --
>>>> just like hosting a CWP site on a godaddy server and pointing to some
>>>> FMS elsewhere.  But I'd imagine there must be some performance loss by
>>>> not having the WPE on the second server -- as in a "real" two-machine
>>>> config -- so if you've got the two machines and don't need to host
>>>> multiple sites, it seems you wouldn't want to use that setup.  Or don't
>>>> I understand correctly?
>>>> 
>>>> FWIW: The tech dept in my situation just had to edit the website
>>>> binding and the originally installed SSL cert is working again.  (I'm
>>>> going to try to get more details from them)
>>>> 
>>>> Best,
>>>> -Joel
>>>> 
>>>> 
>>>> On Jul 15, 2014, at 5:04 PM, Chris Hansen <chris at iViking.org> wrote:
>>>> 
>>>>> Also, keep in mind the "non-traditional" 2-machine install that Bob
>>>>> Patin (correct me if I'm wrong, Bob) has been using. Namely, a
>>>>> dedicated web server machine, and an "all FileMaker stuff" machine.
>>>>> Used that way, you could use whatever cert you want on the web server.
>>>>> You can set up the cURL used by FX.php to ignore the cert warnings
>>>>> (if it doesn't already), and no worries about a user seeing one, as
>>>>> they'd only be connecting via the cert on the web server.
>>>>> 
>>>>> Just a thought...  Hopefully it's at least somewhat useful to someone
>>>>> =)
>>>>> 
>>>>> Best,
>>>>> 
>>>>> --Chris
>>>>> 
>>>>> On Jul 15, 2014, at 3:57 PM, Joel Shapiro <mail at jsfmp.com> wrote:
>>>>> 
>>>>>> Darn that Go!
>>>>>> 
>>>>>> Thanks for the extra info.  Interesting thought about the 2-machine
>>>>>> config.  Seems some have had problems using the command-line
>>>>>> installation on 2-machine configs:
>>>>>> http://fmforums.com/forum/topic/90722-ssl-certificate-installation/
>>>>>> 
>>>>>> And FWIW here's the doc w/ SSL install instructions (Appendix D):
>>>>>> 
>>>>>> http://www.filemaker.com/nl/support/docs/downloads/security_guide_13_e
>>>>>> n.pdf
>>>>>> 
>>>>>> Best,
>>>>>> -Joel
>>>>>> 
>>>>>> 
>>>>>> On Jul 15, 2014, at 2:42 PM, Steve Winter
>>>>>> <steve at bluecrocodile.co.nz> wrote:
>>>>>> 
>>>>>>> Also worth mentioning is that the small list of SSL providers and
>>>>>>> types is because the same cert is used for connections between FMS
>>>>>>> and the web and FMS and FMP/FMGo and it's because of the route certs
>>>>>>> in Go that you can only use those providers...
>>>>>>> 
>>>>>>> However if as in your case you have a two machine install then it
>>>>>>> may be possible that you could install a non-approved provider cert
>>>>>>> in the web machine (i.e a cheaper one) and then have your web
>>>>>>> connections secured with a 'real' certificate, leaving the FMI
>>>>>>> self-signed one in place on the primary server for Pro/Go
>>>>>>> connections.
>>>>>>> 
>>>>>>> YMMV
>>>>>>> Steve
>>>>>>> 
>>>>>>> Sent from the iPhone of Steve Winter
>>>>>>> Matatiro Solutions
>>>>>>> steve at matatirosolutions.co.uk
>>>>>>> +44 777 852 4776
>>>>>>> 
>>>>>>>> On 15 Jul 2014, at 22:33, Steve Winter <steve at bluecrocodile.co.nz>
>>>>>>>> wrote:
>>>>>>>> 
>>>>>>>> Howdy
>>>>>>>> 
>>>>>>>> Yes it can, and yes it does, because the FMS install establishes
>>>>>>>> its own instance of the httpd service (which IIS also uses)
>>>>>>>> installs its own SSL cert into that, and takes over the task of
>>>>>>>> serving data through port 443 on that machine.
>>>>>>>> 
>>>>>>>> You can install your own certificate so long as it's issued by one
>>>>>>>> of a small set of SSL certificate providers, using the fmsadmin
>>>>>>>> command line tool. On a train at the mo, so can't find references,
>>>>>>>> but google and/or the FMS docs can provide details.
>>>>>>>> 
>>>>>>>> Cheers
>>>>>>>> Steve
>>>>>>>> 
>>>>>>>> Sent from the iPhone of Steve Winter
>>>>>>>> Matatiro Solutions
>>>>>>>> steve at matatirosolutions.co.uk
>>>>>>>> +44 777 852 4776
>>>>>>>> 
>>>>>>>>> On 15 Jul 2014, at 21:58, Joel Shapiro <mail at jsfmp.com> wrote:
>>>>>>>>> 
>>>>>>>>> Hi all
>>>>>>>>> 
>>>>>>>>> It seems FMS13 comes w/ a default SSL certificate, such that
>>>>>>>>> hitting an FMS13 site on https can bring up an "untrusted
>>>>>>>>> connection/invalid certificate" warning.  ("The certificate is
>>>>>>>>> only valid for FMI Certificate Authority...")  I've seen this on
>>>>>>>>> two different servers now -- both Windows.
>>>>>>>>> 
>>>>>>>>> My question:
>>>>>>>>> Is it possible that this FMI cert could override an existing
>>>>>>>>> cert?  I've got a client who's setting up FMS13 now (2-machine).
>>>>>>>>> Their tech dept said they'd installed an SSL cert on the web
>>>>>>>>> server but we didn't test it before installing FMS.  Now when we
>>>>>>>>> go to https we get the FMI "invalid certificate" warning.  The
>>>>>>>>> tech dept isn't the friendliest, so we're trying to check if the
>>>>>>>>> FMS install could have overwritten the existing cert -- or if this
>>>>>>>>> means that there was never one before FMS.
>>>>>>>>> 
>>>>>>>>> Does anybody know?
>>>>>>>>> 
>>>>>>>>> TIA,
>>>>>>>>> -Joel
>>>>>>>>> 
>>>>>>>>> _______________________________________________
>>>>>>>>> FX.php_List mailing list
>>>>>>>>> FX.php_List at mail.iviking.org
>>>>>>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>>>>>> 
>>>>>>>> _______________________________________________
>>>>>>>> FX.php_List mailing list
>>>>>>>> FX.php_List at mail.iviking.org
>>>>>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> FX.php_List mailing list
>>>>>>> FX.php_List at mail.iviking.org
>>>>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>>>> 
>>>>>> _______________________________________________
>>>>>> FX.php_List mailing list
>>>>>> FX.php_List at mail.iviking.org
>>>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> FX.php_List mailing list
>>>>> FX.php_List at mail.iviking.org
>>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>> 
>>>> _______________________________________________
>>>> FX.php_List mailing list
>>>> FX.php_List at mail.iviking.org
>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>> 
>>> 
>>> _______________________________________________
>>> FX.php_List mailing list
>>> FX.php_List at mail.iviking.org
>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>> 
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
> 
> 
> 
> [http://www.sbc.vic.edu.au/assets/images/email_logo.gif]
> 
> St Bernard's College
> Achieving Excellence By Learning And Doing
> Kevin Futter
> Webmaster
> Ph: +61392891007 | Mobile:
> Email: KFutter at sbc.vic.edu.au<mailto:KFutter at sbc.vic.edu.au>
> 41 Rosehill Road, Essendon, Victoria, 3040 | Ph: 03 9289 1000 | F: 9337 1741 | www.sbc.vic.edu.au<http://www.sbc.vic.edu.au/>
> ________________________________
> This e-mail and any attachments may be confidential. You must not disclose or use the information in this e-mail if you are not the intended recipient. If you have received this e-mail in error, please notify us immediately and delete the e-mail and all copies. The College does not guarantee that this e-mail is virus or error free. The attached files are provided and may only be used on the basis that the user assumes all responsibility for any loss, damage or consequence resulting directly or indirectly from the use of the attached files, whether caused by the negligence of the sender or not. The content and opinions in this e-mail are not necessarily those of the College.
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list



More information about the FX.php_List mailing list