Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: One hostname to rule them all (onehostname.com)
111 points by mrkurt on Aug 15, 2017 | hide | past | favorite | 76 comments



All data, including user passwords, and all their content going through a third party. All exchanged for some dubious SEO benefits. What can go wrong?


At the risk of stating the obvious, the One Ring is cursed.


Oh hey, and all your js is now on one origin so if you have an xss in your third-party blog software, you now have xss in your app!

Also, good luck writing a sane content-security-policy if you do this.


Yeah, but its maker is his master so... :).


We have an article about how to do it yourself with nginx, if you feel like setting up a bunch of servers in different places: https://fly.io/articles/delivering-multiple-applications-on-...


If you want to do this yourself, caddy http server [0] works really well and is incredibly easy to use / setup. They even have an example on their home page that shows this for /api and /blog

[0] https://caddyserver.com/


It works pretty well with nginx too: https://fly.io/articles/delivering-multiple-applications-on-...

It's trickier than it seems, though, because you need to get the right combination of Host/X-Forwarded-Host right for a given hosting service. And you frequently need to rewrite HTML to fix links. Not rocket surgery, but usually I'd rather put my hours into dev and not tweaking a proxy.


Which is why people just use subdomains. Far less hassle, works fine.


Alternatively: https://traefik.io/


This is exactly what I use to run a bunch of different personal services in subfolders on the same hostname. Sadly, though some things don't support running in subfolders.


Use nginx to lie to them so they think they're running at the server root?


Pretty specific use-case, but if you use Rancher for Docker orchestration, the built-in load-balancer service that you can deploy makes this pretty easy.


Everything is easy if you're hosting all your stuff in the same machine. It gets complicated if you're using third party services, PaaS etc.


A single load balance server is hard?

You don't have to host all your stuff on one server at all.


Ok, I misunderstood everything. You are very right.


What about the protections from XSS which Content Security Policies[0] can provide? It would be unfortunate when a bug in your blog engine can cause a hack of your store.

[0] https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP


CSP still applies, you can apply restrictions by path and hostname. Or am I missing your meaning?


For some reason I believed that CSP rules can be hostnames but not paths. At least in Mozialla's documentation above there is not a single example of a rule with a full path. I can't check it by myself right now to find out the truth as I'm far away from my development PC.


According to the CSP2 spec, the value of a -src directive contains three parts:

    - protocol/scheme (optional)
    - hostname (mandatory)
    - path (optional)
Notably, there is no query portion or fragment portion; browsers are expected to ignore those. Path matching works like a prefix if it ends in a slash. If it doesn't, only exactly that path matches.

In CSP3, the secure protocol/scheme (https, wss) always matches, even if you explicitly specify http://. In CSP2, the implicit scheme matches either; an explicit scheme only matches that scheme. This is typically not useful behavior because you probably have HSTS anyway, so people just use hostnames and only rarely specify the protocol. Most values in practice seem to just be hostnames in general; paths too are rare.


Thank you, that was insightful.


Ah, Mozilla's docs are not great. The spec allows a URI, and there is guidance on how to interpret paths: https://www.w3.org/TR/CSP2/#source-list-path-patching


CSP doesn't help unless you can apply a strict policy to every page of your site. If a single page has an XSS, that gives js execution to the attacking code, which can then steal cookies, forge requests, exfiltrate localstorage, etc.

With multiple domains, you at least can limit the blast radius of an XSS; on the same domain, most protections can be circumvented. E.g. there's no cors protection, so if different apps use different implementations of csrf, just fetch a the other app's page over XHR and parse out it's csrf token; it's probably their or in a cookie which you should be able to read.


Cookies aren't restricted to paths as well.


No, cookies can be restricted to paths, it's just less commonly utilized.

https://developer.mozilla.org/en-US/docs/Web/API/Document/co...


They can be, but the restriction isn't useful, because the Javascript same-origin policy doesn't reliably defend the boundary.


exactly. It still boggles my mind that browsers don't send up the path and domain of a cookie when sending the name & value with a request.

for anyone interested in the topic, https://www.usenix.org/system/files/conference/usenixsecurit... is a must read


The accompanying blog post[1] might have been a better fit for submission, as it has actual content:

[1]: https://fly.io/articles/one-hostname-to-rule-them-all/


I still don't know what this is for, all the fluff (inserted to keep the reader's attention when explaining stuff that might be boring) gets in the way.


It's a service that transforms subdomains to paths.

E.g.:

blog.example.com -> example.com/blog

api.example.com -> example.com/api

docs.example.com -> example.com/docs

... and so on. Supposedly for SEO benefit, but there's the obvious security risk of running all traffic through a third-party.


A bit like CloudFlare?


They seem to work in similar ways, but Cloudflare focuses on speed and security, this just seems to focus on SEO. The security risk is in theory the same, but I'd argue that the risk from Cloudflare is lower as they're a well established service used by major companies.


Okay, so the claim is subdomains = bad, subfolders = good.

Is that true? I'm seeing vague claims ("Subdomains accumulate positive signals differently than root domains") without anything of substance to back up their veracity or relevance.



> Many people have tested this and written about their results:

But I can also find articles saying that subdomains are good for SEO, and Google itself says that subdomains are treated the same as subdirectories.[1]

I'm hoping for more than anecdata.

[1] https://www.youtube.com/watch?v=fKQULFm2BQA&feature=youtu.be...


Even these articles will mention that the benefits to SEO are secondary to good, relevant content that is well structured and semantic. There are downsides as well. Your ability to run paid search is limited by your domain. You can't bid for multiple positions on the same keyword with a single property. In practice, our businesses have had a much better return from the SEM benefits than the minor SEO boost.


Specialized landing pages are one of the few time it makes sense to have separate hostnames. Which is why we put this on onehostname.com.


> Specialized landing pages are one of the few time it makes sense to have separate hostnames.

Why, what is the theory?

Do you have any concern that the "help folder-ize subdomains" business may go away with a Google algorithm update?


These stylized landing pages benefit from branding, and usually aren't a tremendous amount of searchable content (I doubt anyone will ever find onehostname.com with a search engine).

I'm not too worried about Google's algorithm changes. SEO is one "free" benefit of putting everything on a single hostname, but there are lots of reasons it's desirable. You get better speed (especially with tls and http2), more control, even vanity. What we're really helping people do is manage their stuff that's scattered across 15 different services and make sure they're all delivered to end users well.


Ironically hosted on a different hostname than their main site.


Fixed! Good thing our site's setup through fly.io!

https://fly.io/onehostname/


I spent 30 seconds looking at this, and have no idea what they are selling. The first "usable" content was something about taking down blue towers. If you have to sell me on the basis of a stretched LOTR reference, I am going to assume your actual value proposition doesn´t really hold its´own.


It's a paths to subdomains reverse proxy service.

Or, an opportunity to completely fuck yourself when someone breaches them and starts logging all your customer login requests


I love the landing page story. I also strive for single hostnames, but preferably out of one's own server through a proxy in front instead of folders. Relative URLs in subfolders just don't seem to work well on dynamic websites.

One problem I haven't figured out with this app-level routing, though, is how to have a reliable status endpoint. The distance the pinging server needs from the app's running process is at odds with this routing strategy.


The solution, after reading three pages of this site describing the problem very slowly, is a guide to using folders with nginx or haproxy?

HN didn't know this already?


It's <basic _nix tool> as a service.

I'm honestly not going to be surprised when "println as a service" appears AND people use it


LOVE the artwork here! Great story guys.


I don't really have anything to add beside that the fly.io website is beautiful.


I wish there was a way to just tell search engines whether your content should be treated as part of the parent subdomain or not for SEO purposes.

That way you'd keep the XSS protections of CSP, while still not breaking things like github pages or a zillion other subdomain hosted services.



I think that's the opposite: telling browsers to treat some paths as different origin


You can do this with AWS cloudfront


Badly veiled advertisement.


It's not veiled at all.


That's the bad part.


This could be an object lesson in how not to build a landing page. What is this? What is it for? I see a cartoon...but what the hell does any of it mean? Why am I signing up? What am I signing up for?

> Want all your applications on One Hostname?

Uh...no? Should I? I have no idea!

Oh look. Tiny, low contrast text at the very bottom of the page linking to an article that loses my interest before it gets to the point.

This could have been 24 point bold arial black on white: "We made a service called Fly to help you convert subdomains into load-balanced subdirectories to strengthen your brand and improve[0] your SEO. yada yada yada..."

[0] - citation needed, lol


Aw, come on. Not everything posted to Hacker News needs to explain itself in a commonplace way. There's a place for the playfully obscure too. Reacting with rage seems like a parody of the angry spoilsport.

In the spectrum of HN consciousness there's a large chunk of rule-bound literalism. Part of the work of this community is for that to breathe a little and not need to impose itself everywhere. Then everything works better and life becomes more sparkly.


I found the page interesting and pretty, but had absolutely no clue what service it was offering. It's not so much that it needs to explain itself in a commonplace way, as ... explain itself at all!


It's fine to leave some things as an exercise to the reader. We readers can use the exercise.


Totally agree


> There's an honored place for the playfully obscure too.

I get enough of this from work, thanks. There's a fine line between decoding twee whimsy and billable hours that most of these submissions stomp past obliviously.

The first rule of writing is: respect your reader's time (or else they won't read you). I'm all for not taking things to seriously, but if I have to spend 5 minutes to work out if this is an entertaining flight of fancy that I might just learn something from, or an untargeted waste of marketing budget, then I'm going to Have Opinions that I want to Share Online.


The underlying expectation here seems to be that HN readers shouldn't have to work a little. But HN thrives when readers do occasionally have to work a little. So we welcome that. Sorry!


> The underlying expectation here seems to be that HN readers shouldn't have to work a little

That's not my point at all: I work in software, so I love to stare at some cryptic message and mutter and make notes. But when I uncover the answer is "Be sure to drink your Ovaltine", then I'll feel ripped off.

I keep seeing product announcements using this technique of dressing it up in twisty little language, as if they're afraid that what they're saying isn't interesting enough to stand on its own. They slap on the appearance of entertainment, without considering how well it fits with their message (prioritising form over function).

why's (poignant) Guide to Ruby is a fantastic example of how to do it right: the whimsy doesn't detract from the message, but helps frame it and gives the right context for the reader to build the mental model of programming that _why intended to convey.


Ok, I get your point now. But did I miss it or did you really not say this earlier?

We probably assigned this post to different buckets but I agree with you that both buckets exist.


I said:

> if I have to spend 5 minutes to work out if this is […] an untargeted waste of marketing budget, then I'm going to [write a comment about how I wish people would stop doing it]*

I'll try being clear next time.


Also, fuck poetry.


no


HI there! Duly noted! Annie here (I drew the comic). This is a little "gift" that people will come across when they start their journey toward using onehostname. Sorry for the confusion since it's out of context. And your feedback is really helpful!

I hope you enjoy the comic gift!


It's really great work. Are you attached to Fly.io or do you do work for other people?


I would suggest a 'skip the comic and go to the article' link at the top of the page (in the middle), not everyone is a visual learner.


I think you're probably not in the target audience for a comic like this. It's meant to be light and fun, and appeals to people who already want to put all their stuff on one hostname. All the normal "what do you do? why? how?" questions don't really apply here, that's more what our homepage is for.


Got the same first impression. How can a link like this get to the first page of HN?

Without any useful information without having to look on another page, wouldn't it just go into unnoticed?


It's zany! It's fun! It's not one of the two possible websites https://twitter.com/jongold/status/694591217523363840


Totally disagree. The landing page is nice, is pretty, it invites you to read and has two very useful links.

If it was a black on white page I would have read it, acknowledge it and close, perhaps add it to Pinboard for later use and never look at it again. The way it is now I've clicked the links and read the whole article, almost.


It's very pretty, and it tells you absolutely nothing.

Sorry. Correction. It tells you that you can sign up for...something.


I, and I suppose a lot of people, give between 3-5 seconds to tell me what it does. If I am not able to find a reference to anything within this time - I will close the tab. I have scrolled whole website looking for one headline or enlarged text with one sentence explanation of what this is.

Once I failed I turned in to HN comments.

UX on this website is awful, but it has a possibility to be an amazing one. Just a few small changes and people will link to this page as an example of UI. But for now is pretty bad.


Hehehe. This was a bit mean, but there's truth. I've adjusted the page based on the feedback here. Now it's "here's the article for more information" instead of "sign up for this mystery box". :)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: