[FX.php List] [OFF] FMS13 & SSL?

Tim 'Webko' Booth tim.webko at gmail.com
Wed Jul 16 21:51:32 MDT 2014


I'll put mine in...

At Niche, we never used a 1 machine. And very rarely a two machine FM type
system...

Nearly all (90%+) were a random web server pointed at a single FM Server
with WPE

Cheers

Webko


On 17 July 2014 13:30, Joel Shapiro <mail at jsfmp.com> wrote:

> Thanks Chris
>
> I wonder how many CWP solutions out in the world use 2- or 3-machine
> configs vs 1-machine.  I know of a number of people that had set up
> 2-machine when the API (& FMI guidelines) first came out but then changed
> to 1-machine a year or two later to "simplify" things.  And I wonder how
> many of the multi-machine configs are set up as per FMI and how many use
> these non-FM web servers.  And I wonder what kind of noticeable performance
> difference there is between the various setups, especially on sites without
> a lot of data &/or traffic.
>
> (Anybody here up for a poll?)
>
> Anyway, I wonder.
>
> Best,
> -Joel
>
>
> On Jul 16, 2014, at 7:34 AM, Chris Hansen <chris at iViking.org> wrote:
>
> > Hey Joel,
> >
> > There might be a performance loss since the data being transferred would
> be XML (verbose).  Of course, as I don't know the format of the data is
> that FileMaker would be passing in the other scenario, it's hard to surmise
> exactly what the performance difference would be.  Also, the various parts
> of FileMaker server might be designed to take advantage of living on a
> single machine (just a guess).  Finally, in my experience, the bigger data
> gets, the more likely it is to live on its own, optimized machine, as
> searching lots of data non-optimally will be much slower than transferring
> a bit of data over the network.
> >
> > At any rate, there are a variety of reasons to use your own web server
> rather than FileMaker's, e.g. wider choice of server options (nginx, linux
> web servers, apache on windows, etc.), the availability of server or php
> modules not available with FileMaker's server version, and so on.
> >
> > Thanks for the update on the SSL process.  My guess is that others may
> well run into the problem down-the-line.
> >
> > Best,
> >
> > --Chris
> >
> > On Jul 15, 2014, at 9:22 PM, Joel Shapiro <mail at jsfmp.com> wrote:
> >
> >> Hi Chris
> >>
> >> Thanks for the reply.
> >>
> >> My understanding is that the changes that came w/ FMS13 made it
> hard/impossible to host different domains on one server, so setting up FMS
> as a one-machine config and then using a separate non-FM web server,
> pointing to the FMS server, was a way to get around that -- just like
> hosting a CWP site on a godaddy server and pointing to some FMS elsewhere.
>  But I'd imagine there must be some performance loss by not having the WPE
> on the second server -- as in a "real" two-machine config -- so if you've
> got the two machines and don't need to host multiple sites, it seems you
> wouldn't want to use that setup.  Or don't I understand correctly?
> >>
> >> FWIW: The tech dept in my situation just had to edit the website
> binding and the originally installed SSL cert is working again.  (I'm going
> to try to get more details from them)
> >>
> >> Best,
> >> -Joel
> >>
> >>
> >> On Jul 15, 2014, at 5:04 PM, Chris Hansen <chris at iViking.org> wrote:
> >>
> >>> Also, keep in mind the "non-traditional" 2-machine install that Bob
> Patin (correct me if I'm wrong, Bob) has been using. Namely, a dedicated
> web server machine, and an "all FileMaker stuff" machine.  Used that way,
> you could use whatever cert you want on the web server.  You can set up the
> cURL used by FX.php to ignore the cert warnings (if it doesn't already),
> and no worries about a user seeing one, as they'd only be connecting via
> the cert on the web server.
> >>>
> >>> Just a thought...  Hopefully it's at least somewhat useful to someone
> =)
> >>>
> >>> Best,
> >>>
> >>> --Chris
> >>>
> >>> On Jul 15, 2014, at 3:57 PM, Joel Shapiro <mail at jsfmp.com> wrote:
> >>>
> >>>> Darn that Go!
> >>>>
> >>>> Thanks for the extra info.  Interesting thought about the 2-machine
> config.  Seems some have had problems using the command-line installation
> on 2-machine configs:
> >>>> http://fmforums.com/forum/topic/90722-ssl-certificate-installation/
> >>>>
> >>>> And FWIW here's the doc w/ SSL install instructions (Appendix D):
> >>>>
> http://www.filemaker.com/nl/support/docs/downloads/security_guide_13_en.pdf
> >>>>
> >>>> Best,
> >>>> -Joel
> >>>>
> >>>>
> >>>> On Jul 15, 2014, at 2:42 PM, Steve Winter <steve at bluecrocodile.co.nz>
> wrote:
> >>>>
> >>>>> Also worth mentioning is that the small list of SSL providers and
> types is because the same cert is used for connections between FMS and the
> web and FMS and FMP/FMGo and it's because of the route certs in Go that you
> can only use those providers...
> >>>>>
> >>>>> However if as in your case you have a two machine install then it
> may be possible that you could install a non-approved provider cert in the
> web machine (i.e a cheaper one) and then have your web connections secured
> with a 'real' certificate, leaving the FMI self-signed one in place on the
> primary server for Pro/Go connections.
> >>>>>
> >>>>> YMMV
> >>>>> Steve
> >>>>>
> >>>>> Sent from the iPhone of Steve Winter
> >>>>> Matatiro Solutions
> >>>>> steve at matatirosolutions.co.uk
> >>>>> +44 777 852 4776
> >>>>>
> >>>>>> On 15 Jul 2014, at 22:33, Steve Winter <steve at bluecrocodile.co.nz>
> wrote:
> >>>>>>
> >>>>>> Howdy
> >>>>>>
> >>>>>> Yes it can, and yes it does, because the FMS install establishes
> its own instance of the httpd service (which IIS also uses) installs its
> own SSL cert into that, and takes over the task of serving data through
> port 443 on that machine.
> >>>>>>
> >>>>>> You can install your own certificate so long as it's issued by one
> of a small set of SSL certificate providers, using the fmsadmin command
> line tool. On a train at the mo, so can't find references, but google
> and/or the FMS docs can provide details.
> >>>>>>
> >>>>>> Cheers
> >>>>>> Steve
> >>>>>>
> >>>>>> Sent from the iPhone of Steve Winter
> >>>>>> Matatiro Solutions
> >>>>>> steve at matatirosolutions.co.uk
> >>>>>> +44 777 852 4776
> >>>>>>
> >>>>>>> On 15 Jul 2014, at 21:58, Joel Shapiro <mail at jsfmp.com> wrote:
> >>>>>>>
> >>>>>>> Hi all
> >>>>>>>
> >>>>>>> It seems FMS13 comes w/ a default SSL certificate, such that
> hitting an FMS13 site on https can bring up an "untrusted
> connection/invalid certificate" warning.  ("The certificate is only valid
> for FMI Certificate Authority...")  I've seen this on two different servers
> now -- both Windows.
> >>>>>>>
> >>>>>>> My question:
> >>>>>>> Is it possible that this FMI cert could override an existing cert?
>  I've got a client who's setting up FMS13 now (2-machine).  Their tech dept
> said they'd installed an SSL cert on the web server but we didn't test it
> before installing FMS.  Now when we go to https we get the FMI "invalid
> certificate" warning.  The tech dept isn't the friendliest, so we're trying
> to check if the FMS install could have overwritten the existing cert -- or
> if this means that there was never one before FMS.
> >>>>>>>
> >>>>>>> Does anybody know?
> >>>>>>>
> >>>>>>> TIA,
> >>>>>>> -Joel
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> FX.php_List mailing list
> >>>>>>> FX.php_List at mail.iviking.org
> >>>>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> FX.php_List mailing list
> >>>>>> FX.php_List at mail.iviking.org
> >>>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
> >>>>>
> >>>>> _______________________________________________
> >>>>> FX.php_List mailing list
> >>>>> FX.php_List at mail.iviking.org
> >>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
> >>>>
> >>>> _______________________________________________
> >>>> FX.php_List mailing list
> >>>> FX.php_List at mail.iviking.org
> >>>> http://www.iviking.org/mailman/listinfo/fx.php_list
> >>>>
> >>>
> >>> _______________________________________________
> >>> FX.php_List mailing list
> >>> FX.php_List at mail.iviking.org
> >>> http://www.iviking.org/mailman/listinfo/fx.php_list
> >>
> >> _______________________________________________
> >> FX.php_List mailing list
> >> FX.php_List at mail.iviking.org
> >> http://www.iviking.org/mailman/listinfo/fx.php_list
> >>
> >
> > _______________________________________________
> > FX.php_List mailing list
> > FX.php_List at mail.iviking.org
> > http://www.iviking.org/mailman/listinfo/fx.php_list
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.iviking.org/pipermail/fx.php_list/attachments/20140717/8992d8d0/attachment.html


More information about the FX.php_List mailing list