Rail Users Ireland Forum

Go Back   Rail Users Ireland Forum > General Information & Discussion > Rail Users Ireland Canteen
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
Thread Tools Search this Thread Display Modes
Unread 27-04-2010, 21:03   #1
Mark Hennessy
Membership Officer
 
Mark Hennessy's Avatar
 
Join Date: Dec 2005
Location: Maynooth
Posts: 1,116
Default

Quote:
Originally Posted by Mark Gleeson View Post
Port 8443 is actually a fairly common port to use, its not a permanent issue its being looked into right now. I can view the site through the firewall I'm behind which is strict.
Surely they can just use 443 though for SSL which I believe is standard?

How many of their potential business customers will be unable to use that site due to their corporate firewalls?
Mark Hennessy is offline   Reply With Quote
Unread 27-04-2010, 21:08   #2
Thomas Ralph
IT Officer
 
Join Date: Sep 2007
Location: Greenwich, London
Posts: 1,860
Default

Mark and I discussed this one earlier. They can't use port 443 because the smartcard backend is on a different server to the reservations backend.
Thomas Ralph is offline   Reply With Quote
Unread 28-04-2010, 08:23   #3
zag
Regular Poster
 
Join Date: Oct 2006
Posts: 199
Default

Bad move on the 8443 stuff. This won't be a problem for the vast majority of users as their firewall or proxy is configured accordingly, but for quite a number of workplaces this will be a problem as they will normally allow TCP80 & TCP443 outbound without issue, but block other ports. This can be changed, but I know what would happen if I put in a change request in my company to gain access to the Irish Rail website on port 8443 . . . . it would take forever, the network guys would grumble, it would go to the bottom of the list because it's not business critical, etc . . .

There's a reason that people use ports 80 & 443 as standard - it's because they're, you know, standard.

There are ways of getting around this issue on the Irish Rail side - it just needed a little forethought and planning on their side - change one thing once on their side and not require multiple customers to change something on their side multiple times.

Mark - did you say the full journey is charged at half the price of a return journey in your initial post, or is one leg of the journey charged at half the price of the return, with two legs costing the same as a return ? If it's the same as a return I would have to say it's another opportunity lost - there should be some discount, some incentive, something to encourage users to use it. If it costs the same amount as a cash fare then while some people will move to it to avoid the queue at the ticket office, there will still be a lot of people who don't want to shell out in advance. Give them a discount, even a small one, and I think usage would increase.

z
zag is offline   Reply With Quote
Unread 28-04-2010, 08:37   #4
Thomas Ralph
IT Officer
 
Join Date: Sep 2007
Location: Greenwich, London
Posts: 1,860
Default

Each leg of the journey costs half the return fare. So a single from Bray to Connolly costs 2.35 instead of 2.75. A return is the same as the booking office or vending machine fare. This was the same fare structure Veolia adopted when it launched its smartcard, although there has been few to no smartcard fare increases but several standard ticket increases over the intervening years.

A smartcard is currently the best value for people who make odd journeys, single journeys, or journeys to and from different stations. It's also best for people who make 5 or fewer journeys in a 3-day period, or people whose normal return fare is 2.80 and make 9 or fewer journeys in a 7-day period.

There is a project underway for price capping so that smartcard users will only pay the cost of the lowest possible combination of tickets for the journeys they make in a 3-day or 7-day period.
Thomas Ralph is offline   Reply With Quote
Unread 28-04-2010, 08:40   #5
Mark Gleeson
Technical Officer
 
Mark Gleeson's Avatar
 
Join Date: Dec 2005
Location: Coach C, Seat 33
Posts: 12,652
Default

All journeys are priced at half equivalent return fare. So a return journey costs the same.

A significant portion of ticket sales are still singles. A lot of people purchase singles in the morning as they don't know how they will be getting home that evening. A lot of people queue up for returns every morning as well.

Daily and weekly price capping is something we are discussing with Irish Rail. That would go beyond the now famous Oyster card functionality in London which only handles daily capping. Thats the killer function for us as it ensures the lowest fares over a week of use.

The port issue is something we raised with IE, it will be fixed in due course. I have no problem from behind two different corporate firewalls.
Mark Gleeson is offline   Reply With Quote
Unread 28-04-2010, 09:04   #6
finnyus
Member
 
finnyus's Avatar
 
Join Date: Sep 2008
Location: Cork City/Midleton/Mallow
Posts: 211
Default

When clicking on the "smart card" banner on the home page of irishrail.ie, I get the following:

Quote:
This web page is not available.

The web page at null might be temporarily down or it may have moved permanently to a new web address.

More information on this error
Below is the original error message

Error 111 (net::ERR_TUNNEL_CONNECTION_FAILED): Unknown error.
The address in the address bar is: https://www.irishrail.ie:8443/smartc...nonymousIV.jsf

Is the only way to access this page via the banner or is there a link somewhere else on the website?
finnyus is offline   Reply With Quote
Unread 28-04-2010, 09:40   #7
Thomas Ralph
IT Officer
 
Join Date: Sep 2007
Location: Greenwich, London
Posts: 1,860
Default

Going to www.irishrail.ie/smartcard will take you to the same place, but per the posts above it is unlikely to make a difference for you.
Thomas Ralph is offline   Reply With Quote
Unread 28-04-2010, 09:43   #8
finnyus
Member
 
finnyus's Avatar
 
Join Date: Sep 2008
Location: Cork City/Midleton/Mallow
Posts: 211
Default

Quote:
Originally Posted by Thomas Ralph View Post
Going to www.irishrail.ie/smartcard will take you to the same place, but per the posts above it is unlikely to make a difference for you.
Nope, the same. I thought it might be because I was using Google Chrome, but it's the same for Firefox & Internet Explorer.
finnyus is offline   Reply With Quote
Unread 28-04-2010, 09:45   #9
Thomas Ralph
IT Officer
 
Join Date: Sep 2007
Location: Greenwich, London
Posts: 1,860
Default

The fact that you get an error is not browser-dependent (although the text of the error might be). The error is due to some corporate (and other) firewalls blocking port 8443.
Thomas Ralph is offline   Reply With Quote
Unread 28-04-2010, 13:54   #10
al2637
Member
 
Join Date: Dec 2005
Posts: 191
Default

Quote:
Originally Posted by Thomas Ralph View Post
Mark and I discussed this one earlier. They can't use port 443 because the smartcard backend is on a different server to the reservations backend.
Oh course they can, it's called a load balancer, or simple mod_jk in Apache. We do this all the time.
al2637 is offline   Reply With Quote
Unread 28-04-2010, 14:10   #11
Thomas Ralph
IT Officer
 
Join Date: Sep 2007
Location: Greenwich, London
Posts: 1,860
Default

One is IIS and the other is Apache.
Thomas Ralph is offline   Reply With Quote
Unread 28-04-2010, 15:04   #12
zag
Regular Poster
 
Join Date: Oct 2006
Posts: 199
Default

Erm, this is the world of IT - all things are possible. Take it from me that there are multiple ways that this sort of situation could be handled without involving the use of 8443. F'rexample, they could use a different IP address for the second server . . . I doubt very much that they only have a single IP address available

For reference, I am also unable to access the site from my workplace because our firewall configuration does not allow us establish sessions on 8443. Yes, I know Mark can access it.

The IP address behind www.cie.ie belongs to a set of 255 assigned to CIE - http://www.db.ripe.net/whois?form_ty...194.106.151.77

All they need to do is use another one (say 151.78), assign a new hostname (say smartcard.cie.ie) to it, point it to the other server and they're done. Tadaaa. That'll be 15,000 in consultancy fees please.

z
zag is offline   Reply With Quote
Unread 28-04-2010, 15:25   #13
Thomas Ralph
IT Officer
 
Join Date: Sep 2007
Location: Greenwich, London
Posts: 1,860
Default

That would require a new SSL certificate.
Thomas Ralph is offline   Reply With Quote
Unread 28-04-2010, 15:30   #14
markpb
Member
 
Join Date: Dec 2005
Posts: 541
Default

Quote:
Originally Posted by Thomas Ralph View Post
That would require a new SSL certificate.
It's not hard to terminate the SSL connection on one machine and then direct one URL to the IIS server and another to the Apache server. It's fully acceptable to do that under PCI-DSS rules. There's no reason for Irish Rail to adopt the approach they've taken other than laziness.
markpb is offline   Reply With Quote
Unread 28-04-2010, 16:53   #15
al2637
Member
 
Join Date: Dec 2005
Posts: 191
Default

IIS or Apache doesn't matter, they can both tunnel to each other, in fact I'd assume they'd have an SSL layer at the front (usually a separate hardware device.. doing SSL on a webserver isn't the most efficient use of resources), this then distributes traffic to the various backend presentation layers (usually not under https either)

Anyway, end of tech. chat. There are numerous ways to do it, IE, sort it out.
al2637 is offline   Reply With Quote
Unread 28-04-2010, 16:58   #16
robdrysdale
Member
 
Join Date: Dec 2005
Posts: 75
Default

Quote:
Originally Posted by markpb View Post
It's not hard to terminate the SSL connection on one machine and then direct one URL to the IIS server and another to the Apache server. It's fully acceptable to do that under PCI-DSS rules. There's no reason for Irish Rail to adopt the approach they've taken other than laziness.
Yep. It's called ProxyPass on Apache and I believe Application Request Routing on IIS (which I believe they are running on their main irishrail.ie server). See http://www.iis.net/download/ApplicationRequestRouting Pretty trivial to do. Use it all the time on servers in work.

Running on port 8443 is pretty bad IT really.

Also from a security perspective don't think I'd ever expose an Apache Tomcat directly server to the external world as they have done. I'd question whether their infrastructure can handle the load of many thousands of users as this system goes live.
robdrysdale is offline   Reply With Quote
Unread 28-04-2010, 18:59   #17
Mark Gleeson
Technical Officer
 
Mark Gleeson's Avatar
 
Join Date: Dec 2005
Location: Coach C, Seat 33
Posts: 12,652
Default

We continue to work with Irish Rail to sort out issues with the system. Several more bugs got squashed today.

We are not privy to the exact setup Irish Rail have, the port issue is an issue we have raised and is a priority issue to solve. The smartcard functions fine without the website, and you can get one from a ticket vending machine anywhere in Dublin.
Mark Gleeson is offline   Reply With Quote
Unread 28-04-2010, 21:45   #18
Mark Hennessy
Membership Officer
 
Mark Hennessy's Avatar
 
Join Date: Dec 2005
Location: Maynooth
Posts: 1,116
Default

Just a reminder that bugs and issues with the Smartcards and Smartcard use while commuting go here:
http://www.railusers.ie/forum/showthread.php?t=12317

IT specific issues with the website can stay here on this thread.
Mark Hennessy is offline   Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 09:27.


Powered by vBulletin
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.