summaryrefslogtreecommitdiffstats
path: root/docs/SSL.txt
blob: 2fab983b1d0f9d1abec626636d421dda6f595f71 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
 How to use multiple IPs on your server, also for your SSL enabled sites?

 You can use a quick and simple recipe, explained below.


 1. Use existing or deploy a new site as usual - don't enable SSL features in Aegir.

 2. Create two extra configuration files with contents as shown further below.

    * Replace YO.UR.AEGIR.IP with your Aegir Hostmaster main IP address.
    * Replace YO.UR.EXTRA.IP1,2,3 etc with correct extra IP addresses.
    * Paste your SSL key in the file /etc/ssl/private/abc-ssl-enabled-domain.key
    * Paste your SSL certificate and all intermediate certificates (bundles)
      in the file /etc/ssl/private/abc-ssl-enabled-domain.crt

 3. Restart Nginx with `service nginx reload` or `service nginx restart`. Done!



###
### Plain HTTP proxy to add more IPs for HTTP connections (START)
###
### CREATE THIS FILE AS: /var/aegir/config/server_master/nginx/pre.d/extra_ip.conf
###
upstream extra_ip {
  server  YO.UR.AEGIR.IP:80;
}
server {
  listen                       YO.UR.EXTRA.IP1:80;
  listen                       YO.UR.EXTRA.IP2:80;
  listen                       YO.UR.EXTRA.IP3:80;
  server_name                  _;
  ###
  ### Optional permanent redirect to HTTPS per domain/regex
  ###
  if ($host ~* ^(www\.)?(foo\.com)$) {
    rewrite ^ https://$host$uri? permanent;
  }
  location / {
    proxy_pass                 http://extra_ip;
    proxy_redirect             off;
    gzip_vary                  off;
    proxy_buffering            off;
    proxy_set_header           Host              $host;
    proxy_set_header           X-Real-IP         $remote_addr;
    proxy_set_header           X-Forwarded-By    $server_addr:$server_port;
    proxy_set_header           X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header           X-Local-Proxy     $scheme;
    proxy_pass_header          Set-Cookie;
    proxy_pass_header          Cookie;
    proxy_pass_header          X-Accel-Expires;
    proxy_pass_header          X-Accel-Redirect;
    proxy_pass_header          X-This-Proto;
    proxy_connect_timeout      180;
    proxy_send_timeout         180;
    proxy_read_timeout         180;
    access_log                 off;
    log_not_found              off;
  }
}
###
### Plain HTTP proxy to add more IPs for HTTP connections (END)
###



###
### Secure HTTPS proxy to add more IPs for HTTPS connections (START)
###
### CREATE THIS FILE AS: /var/aegir/config/server_master/nginx/pre.d/extra_ip_ssl.conf
###
upstream extra_ip_ssl {
  server  YO.UR.AEGIR.IP:80;
}
###
### FOR abc-ssl-enabled-domain.com
###
server {
  listen                       YO.UR.EXTRA.IP1:443;
  server_name                  _;
  ssl                          on;
  ssl_certificate              /etc/ssl/private/abc-ssl-enabled-domain.crt;
  ssl_certificate_key          /etc/ssl/private/abc-ssl-enabled-domain.key;
  ssl_session_timeout          5m;
  ssl_protocols                SSLv3 TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers                  RC4:HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers    on;
  keepalive_timeout            70;
  ###
  ### Deny known crawlers.
  ###
  if ($is_crawler) {
    return 403;
  }
  location / {
    proxy_pass                 http://extra_ip_ssl;
    proxy_redirect             off;
    gzip_vary                  off;
    proxy_buffering            off;
    proxy_set_header           Host              $host;
    proxy_set_header           X-Real-IP         $remote_addr;
    proxy_set_header           X-Forwarded-By    $server_addr:$server_port;
    proxy_set_header           X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header           X-Local-Proxy     $scheme;
    proxy_set_header           X-Forwarded-Proto $scheme;
    proxy_pass_header          Set-Cookie;
    proxy_pass_header          Cookie;
    proxy_pass_header          X-Accel-Expires;
    proxy_pass_header          X-Accel-Redirect;
    proxy_pass_header          X-This-Proto;
    proxy_connect_timeout      180;
    proxy_send_timeout         180;
    proxy_read_timeout         180;
    access_log                 off;
    log_not_found              off;
  }
}
###
### FOR xyz-ssl-enabled-domain.com
###
server {
  listen                       YO.UR.EXTRA.IP2:443;
  server_name                  _;
  ssl                          on;
  ssl_certificate              /etc/ssl/private/xyz-ssl-enabled-domain.crt;
  ssl_certificate_key          /etc/ssl/private/xyz-ssl-enabled-domain.key;
  ssl_session_timeout          5m;
  ssl_protocols                SSLv3 TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers                  RC4:HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers    on;
  keepalive_timeout            70;
  ###
  ### Deny known crawlers.
  ###
  if ($is_crawler) {
    return 403;
  }
  location / {
    proxy_pass                 http://extra_ip_ssl;
    proxy_redirect             off;
    gzip_vary                  off;
    proxy_buffering            off;
    proxy_set_header           Host              $host;
    proxy_set_header           X-Real-IP         $remote_addr;
    proxy_set_header           X-Forwarded-By    $server_addr:$server_port;
    proxy_set_header           X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header           X-Local-Proxy     $scheme;
    proxy_set_header           X-Forwarded-Proto $scheme;
    proxy_pass_header          Set-Cookie;
    proxy_pass_header          Cookie;
    proxy_pass_header          X-Accel-Expires;
    proxy_pass_header          X-Accel-Redirect;
    proxy_pass_header          X-This-Proto;
    proxy_connect_timeout      180;
    proxy_send_timeout         180;
    proxy_read_timeout         180;
    access_log                 off;
    log_not_found              off;
  }
}
###
### Secure HTTPS proxy to add more IPs for HTTPS connections (END)
###