jonasbardino
commented
5 months ago Thanks for the suggestion - the use cases you mention seem quite reasonable especially in a future fully distributed container setup.
I think this would mainly have to be implemented as a generateconf option in the core migrid codebase, and I can see at least one immediate issue with using it on existing sites where the webdavs service happens to run on the same host/vm as apache. In that situation apache will hijack port 443 on all IPs including the IO host, which is normally used for webdavs, even if only firewall forwarded to an actual high port where the non-privileged mig user can listen. The openid service also preferably should be exposed on port 443 for firewall-friendliness, but I think that part is already solved with the transparent apache proxy to the high port.
A similar solution could perhaps be developed for webdavs, and in that case would probably gain performance from moving the whole TLS-handling into apache and only proxy internally to the raw openid service.
benibr
To make the whole setup ready for deployment on multiple hosts, I guess it's a good idea to remove the Apache
Listenson the different domains and let them listen on0.0.0.0&::/0per default and only selecting vhosts by hostname. That way container could be started easily on any host enabling the option for having multiple IPs per Domain in DNS, using a Loadbalancer which forwards traffic to application servers running Migrid or even using Anycast Routing. Also this would make the Apache config way simple :-)