Packetizer

Hosted WebFinger Service

Some domain owners outsource some or all of their services to different service providers. Many domain owners know how to put up a simple web site, but do not have the capability for or want the responsibility of setting up and managing mail services, instant messaging services, etc. Likewise, some domain owners would like to be able to utilize WebFinger, but do not want to operate the service themselves.

To enable third parties to provide WebFinger services on behalf of your domain, you need to redirect requests coming to your host to the service provider who provides WebFinger service for your domain. With Apache, one merely needs to insert statements like the following into a .htaccess file or the <VirtualHost> directive. Let's assume your domain is called "foo.com" and your service provider told you to direct requests to https://webfinger.example.com/foo/webfinger. The redirection statements for the foo.com domain would be:

Redirect permanent ^/.well-known/webfinger https://webfinger.example.com/foo/webfinger

It is important that those redirection statement are triggered from foo.com, not www.foo.com. (Of course, www.foo.com could also have its webfinger services hosted.)

Note that we're using a permanent redirection above. This might be useful for clients that might cache the fact that the redirection is in place to prevent more frequent queries to your server. The negative aspect, though, is that if you switch service providers, it might take some time for the cached information to clear. Therefore, you might prefer something like this:

Redirect ^/.well-known/webfinger https://webfinger.example.com/foo/webfinger

If the word "permanent" is missing, then the default value is "temp". At present, Apache treats "temp" as a 302 redirection response. Another value that is perhaps most correct given the current HTTP standard is 307. Thus, the following is recommended for temporary redirection:

Redirect 307 ^/.well-known/webfinger https://webfinger.example.com/foo/webfinger

Do not forget that you should provide redirection statements at your domain in response to an HTTPS query for better security. HTTP (no TLS) may be used if your domain does not provide TLS support, but note that this does mean that your WebFinger responses will be less secure.