- 12 May 2023
- 3 Minutes to read
- Print
- DarkLight
- PDF
Domains
- Updated on 12 May 2023
- 3 Minutes to read
- Print
- DarkLight
- PDF
Domains allows you to configure additional domains (Virtual Hosts) to be accepted by a single Zone. This allows custom branding of the portal based on the domain that is used to connect to the zone. This is also useful in case of company name changes to accept both the new and old during a migration period.
The default domain is always present and cannot be removed. The virtual host of the default domain can only be changed with system permissions. License will become invalid after changing the default domain and will cause downtime until the license has been updated with the new domain.
Details
Name | Description |
---|---|
Name | Friendly name of the domain |
Default | When checked, this is the default domain of the Zone. |
Enabled | Wether or not the domain is enabled and usable. |
Virtual host | Virtual host of the domain. |
Description | Detailed description of the domain |
Certificate
TLS secures the connection between the user and the workspace. If a default certificate for the webserver is required, then you should configure it though the Windows Certifcate Store, for more information please refer to the corresponding documentation: HTTPS (Webserver certificates). You can have trouble reaching a zone if a zone certificate expires and HTST is enabled, please refer to your browser documentation how to remove the HSTS state in the browser for the zone domain.
You are only able to select a certificate that contains a private certificate. While not necessarily, it is best practice to only use certificates which have the full certificate chain imported. By default, HTTP.sys (part of the Windows OS) allows usage of insecure/obsolete protocols, ciphers, key exchange algorithms and hashes for maximum compatibility. As this allows a wide range of browsers to interact with the webserver, it also opens potential opportunities for TLS attacks. For hardening the TLS security, please see: TLS Hardening.
Name | Description |
---|---|
Certificate | Select the certificate to secure the webserver. If the certificate is not present in the list, you can add it by following the steps here. |
ACME
With the ACME client you can automatically request and maintain certificates. At this moment, only “Let’s Encrypt” is supported. After enabling the ACME client, you can request a certificate. The ACME certificate will be checked if they need to be renewed every day from the system scheduled task “Check ACME certificates” by default.
Provider | Details |
---|---|
Let’s Encrypt | Requested certificate are valid for 90 days. After 60 days, a new certificate will be requested. |
The ACME client uses a certificate itself for authenticating against a provider, this certificate can be found under Management / Certificates after the first certificate has been requested. The requested certificates including the chain are stored at the same place.
Requirements for ACME usage
The provider will check if the zone name belongs to the requester. For this check to be successfully completed, the following must be in order:
- The DNS name of the domain must be resolvable on the internet to the Liquit environment
- The Liquit environment must be accessible over port 80 from the internet
Redirects from HTTP port 80 to HTTPS port 443 are allowed when the redirects include the original request path. For example: http://workspace.liquit.com/.well-known/acme-challenge/[token] redirects to https://workspace.liquit.com/.well-known/acme-challenge/[token]. HTTPS port 443 is not required to have a valid SSL certificate, the ACME challenge mechanism will not validate any certificate.
Settings
Name | Description | Required |
---|---|---|
Use ACME | If ACME will be used. | |
Provider | The provider that will be contacted. | Yes |
Contact email addresses | The email addresses for the ACME account. ACME errors will be mailed to these mail address as well. | Yes |