
Show HN: One hostname to rule them all - mrkurt
https://onehostname.com/
======
megous
All data, including user passwords, and all their content going through a
third party. All exchanged for some dubious SEO benefits. What can go wrong?

~~~
junke
At the risk of stating the obvious, the One Ring is cursed.

~~~
zxcmx
Oh hey, and all your js is now on one origin so if you have an xss in your
third-party blog software, you now have xss in your app!

Also, good luck writing a sane content-security-policy if you do this.

------
Prefinem
If you want to do this yourself, caddy http server [0] works really well and
is incredibly easy to use / setup. They even have an example on their home
page that shows this for /api and /blog

[0] [https://caddyserver.com/](https://caddyserver.com/)

~~~
mrkurt
It works pretty well with nginx too: [https://fly.io/articles/delivering-
multiple-applications-on-...](https://fly.io/articles/delivering-multiple-
applications-on-one-hostname/)

It's trickier than it seems, though, because you need to get the right
combination of Host/X-Forwarded-Host right for a given hosting service. And
you frequently need to rewrite HTML to fix links. Not rocket surgery, but
usually I'd rather put my hours into dev and not tweaking a proxy.

~~~
tokenizerrr
Which is why people just use subdomains. Far less hassle, works fine.

------
jakobdabo
What about the protections from XSS which Content Security Policies[0] can
provide? It would be unfortunate when a bug in your blog engine can cause a
hack of your store.

[0] [https://developer.mozilla.org/en-
US/docs/Web/HTTP/CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)

~~~
mrkurt
CSP still applies, you can apply restrictions by path and hostname. Or am I
missing your meaning?

~~~
jakobdabo
For some reason I believed that CSP rules can be hostnames but not paths. At
least in Mozialla's documentation above there is not a single example of a
rule with a full path. I can't check it by myself right now to find out the
truth as I'm far away from my development PC.

~~~
lvh
According to the CSP2 spec, the value of a -src directive contains three
parts:

    
    
        - protocol/scheme (optional)
        - hostname (mandatory)
        - path (optional)
    

Notably, there is no query portion or fragment portion; browsers are expected
to ignore those. Path matching works like a prefix if it ends in a slash. If
it doesn't, only exactly that path matches.

In CSP3, the secure protocol/scheme (https, wss) always matches, even if you
explicitly specify [http://](http://). In CSP2, the implicit scheme matches
either; an explicit scheme only matches that scheme. This is typically not
useful behavior because you probably have HSTS anyway, so people just use
hostnames and only rarely specify the protocol. Most values in practice seem
to just be hostnames in general; paths too are rare.

~~~
jakobdabo
Thank you, that was insightful.

------
yberreby
The accompanying blog post[1] might have been a better fit for submission, as
it has actual content:

[1]: [https://fly.io/articles/one-hostname-to-rule-them-
all/](https://fly.io/articles/one-hostname-to-rule-them-all/)

~~~
falsedan
I still don't know what this is for, all the fluff (inserted to keep the
reader's attention when explaining stuff that might be boring) gets in the
way.

~~~
theoctopus
It's a service that transforms subdomains to paths.

E.g.:

blog.example.com -> example.com/blog

api.example.com -> example.com/api

docs.example.com -> example.com/docs

... and so on. Supposedly for SEO benefit, but there's the obvious security
risk of running all traffic through a third-party.

~~~
quickthrower2
A bit like CloudFlare?

~~~
theoctopus
They seem to work in similar ways, but Cloudflare focuses on speed and
security, this just seems to focus on SEO. The security risk is in theory the
same, but I'd argue that the risk from Cloudflare is lower as they're a well
established service used by major companies.

------
CharlesW
Okay, so the claim is subdomains = bad, subfolders = good.

Is that true? I'm seeing vague claims ("Subdomains accumulate positive signals
differently than root domains") without anything of substance to back up their
veracity or relevance.

~~~
hayksaakian
Many people have tested this and written about their results:

[https://moz.com/blog/subdomains-vs-subfolders-rel-
canonical-...](https://moz.com/blog/subdomains-vs-subfolders-rel-canonical-
vs-301-how-to-structure-links-optimally-for-seo-whiteboard-friday)

[http://www.bloggingflail.com/subdomains-vs-subdirectories-
se...](http://www.bloggingflail.com/subdomains-vs-subdirectories-seo/)

[https://medium.com/mention/how-we-increased-search-
traffic-3...](https://medium.com/mention/how-we-increased-search-
traffic-373-in-6-weeks-2cb342bd73ec)

~~~
jamestomasino
Even these articles will mention that the benefits to SEO are secondary to
good, relevant content that is well structured and semantic. There are
downsides as well. Your ability to run paid search is limited by your domain.
You can't bid for multiple positions on the same keyword with a single
property. In practice, our businesses have had a much better return from the
SEM benefits than the minor SEO boost.

~~~
mrkurt
Specialized landing pages are one of the few time it makes sense to have
separate hostnames. Which is why we put this on onehostname.com.

~~~
CharlesW
> _Specialized landing pages are one of the few time it makes sense to have
> separate hostnames._

Why, what is the theory?

Do you have any concern that the "help folder-ize subdomains" business may go
away with a Google algorithm update?

~~~
mrkurt
These stylized landing pages benefit from branding, and usually aren't a
tremendous amount of searchable content (I doubt anyone will ever find
onehostname.com with a search engine).

I'm not too worried about Google's algorithm changes. SEO is one "free"
benefit of putting everything on a single hostname, but there are lots of
reasons it's desirable. You get better speed (especially with tls and http2),
more control, even vanity. What we're really helping people do is manage their
stuff that's scattered across 15 different services and make sure they're all
delivered to end users well.

------
firloop
Ironically hosted on a different hostname than their main site.

~~~
mrkurt
Fixed! Good thing our site's setup through fly.io!

[https://fly.io/onehostname/](https://fly.io/onehostname/)

------
mdekkers
I spent 30 seconds looking at this, and have no idea what they are selling.
The first "usable" content was something about taking down blue towers. If you
have to sell me on the basis of a stretched LOTR reference, I am going to
assume your actual value proposition doesn´t really hold its´own.

~~~
stephenr
It's a paths to subdomains reverse proxy service.

Or, an opportunity to completely fuck yourself when someone breaches them and
starts logging all your customer login requests

------
mzzter
I love the landing page story. I also strive for single hostnames, but
preferably out of one's own server through a proxy in front instead of
folders. Relative URLs in subfolders just don't seem to work well on dynamic
websites.

One problem I haven't figured out with this app-level routing, though, is how
to have a reliable status endpoint. The distance the pinging server needs from
the app's running process is at odds with this routing strategy.

------
nailer
The solution, after reading three pages of this site describing the problem
very slowly, is a guide to using folders with nginx or haproxy?

HN didn't know this already?

~~~
stephenr
It's <basic _nix tool> as a service.

I'm honestly not going to be surprised when "println as a service" appears AND
people _use it_

------
thomcrowe
LOVE the artwork here! Great story guys.

------
spookyuser
I don't really have anything to add beside that the fly.io website is
beautiful.

------
showerst
I wish there was a way to just tell search engines whether your content should
be treated as part of the parent subdomain or not for SEO purposes.

That way you'd keep the XSS protections of CSP, while still not breaking
things like github pages or a zillion other subdomain hosted services.

~~~
dgoldstein0
sounds like you want [https://w3c.github.io/webappsec-
suborigins/](https://w3c.github.io/webappsec-suborigins/)

~~~
stephenr
I think that's the opposite: telling browsers to treat some paths as different
origin

------
eadz
You can do this with AWS cloudfront

------
jjuhl
Badly veiled advertisement.

~~~
tptacek
It's not veiled at all.

~~~
falsedan
That's the bad part.

------
BugsJustFindMe
This could be an object lesson in how not to build a landing page. What is
this? What is it for? I see a cartoon...but what the hell does any of it mean?
Why am I signing up? What am I signing up for?

> _Want all your applications on One Hostname?_

Uh...no? Should I? I have no idea!

Oh look. Tiny, low contrast text at the very bottom of the page linking to an
article that loses my interest before it gets to the point.

This could have been 24 point bold arial black on white: "We made a service
called Fly to help you convert subdomains into load-balanced subdirectories to
strengthen your brand and improve[0] your SEO. yada yada yada..."

[0] - citation needed, lol

~~~
fiatjaf
Totally disagree. The landing page is nice, is pretty, it invites you to read
and has two very useful links.

If it was a black on white page I would have read it, acknowledge it and
close, perhaps add it to Pinboard for later use and never look at it again.
The way it is now I've clicked the links and read the whole article, almost.

~~~
BugsJustFindMe
It's very pretty, and it tells you absolutely nothing.

Sorry. Correction. It tells you that you can sign up for...something.

