Skip to content

Commit

Permalink
Move deprecated SSL docs to separate file
Browse files Browse the repository at this point in the history
  • Loading branch information
@omega8cc
omega8cc committed Aug 14, 2016
1 parent bc08c78 commit 2a1b9cd
Show file tree
Hide file tree
Showing 2 changed files with 131 additions and 131 deletions.
131 changes: 0 additions & 131 deletions docs/SSL.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -182,134 +182,3 @@ as explained in this document further below.

NOTE: If you are on hosted BOA, all you need to do are steps: 1, 2, 4 and 5
from the list above. You don't need to reload nginx, move vhosts, etc.


NOTE ###===>>>

The old how-to attached below is still useful if you prefer to use SSL
termination separated from your Aegir system, or if you don't want to use
built-in Letsencrypt.org SSL certificates support (available since BOA-3.1.0).

But if you can use Letsencrypt.org SSL certificates, or you are willing to use
also built-in BOA feature which allows you to replace Letsencrypt.org SSL
certificate with any third-party certificate per site, while still managing SSL
via Aegir control panel (for redirects, forced/required SSL mode), we highly
recommend to use Aegir built-in SSL support, which is enabled and ready to use
in all Octopus instances since BOA-3.1.0 release.

NOTE ###===>>>


@=> How to add local proxy on the same (TLS/SNI) or dedicated IP address

BOA provides an easy to use tool to generate correct proxy vhosts
for either dedicated IP addresses or default IP address in the TLS/SNI mode.

Note: The proxy vhosts can reside on the same or remote BOA system, when
the target IP address is hosted on a different system than the proxy.

The steps are almost the same for both options, as shown below, and the only
difference is that for proxy listening on the default IP address, both the
dedicated_ip and target_ip columns should list the same, default IP address.

IMPORTANT!

The 'domain_name' is a placeholder for domain name without any prefixes.
Please don't include 'www.' prefix. If you have a wildcard certificate,
don't use the *. prefix in front of 'domain_name'. If you have a multi-domain
certificate, use any domain or subdomain listed in the certificate, but make
sure to not include any prefix.

@=> Prepare the certificate and the private key files

1. Paste your private SSL key in the file /etc/ssl/private/{domain_name}.key

2. Paste your SSL certificate and all intermediate certificates (bundles)
below it in the file /etc/ssl/private/{domain_name}.crt

For more related technical hints check also: https://omega8.cc/ssl-order

@=> Verify that the dedicated IP is active (if expected to be used)

Make sure that your system already has the extra IP address activated,
if expected to be used. Otherwise Nginx will fail to start!

To check if it is active, type as root:

$ hostname -I | grep dedicated_ip

If the output is empty, stop here and set up your networking properly first,
so the dedicated IP will be listed. Explaining how to set up networking
is beyond the scope of this how-to -- please consult your hosting provider
docs and support for assistance, if needed.

@=> Generate HTTPS and HTTP proxy vhosts

1. Create a config file: /root/.ssl.proxy.cnf with one record per line:

domain_name target_ip o1 foo@email dedicated_ip
domain_name target_ip o2 bar@email dedicated_ip

All fields are required and must be separated with a single space.

Make sure that 'domain_name' in the {domain_name}.key and {domain_name}.crt
filenames matches the 'domain_name' in the respective domain first column
in the /root/.ssl.proxy.cnf config file.

To add HTTPS+HTTP proxy on the same IP address, just use the same IP address
both for 'target_ip' and 'dedicated_ip' columns in the respective record.

You can generate both dedicated and TLS/SNI proxy vhosts at the same time.

2. Finally run as root:

$ xboa ssl-gen

3. Point the 'domain_name' DNS to 'dedicated_ip' if different than 'target_ip'

@=> How to enable permanent redirect to HTTPS with dedicated IP

Edit /var/aegir/config/server_master/nginx/pre.d/z_{domain_name}_pln_proxy.conf

Add the extra if{} pseudo-location within the server{} configuration block.

Make sure that regex in the first line lists all aliases you want to
redirect to the HTTPS permanently, as shown in the example below:

###
### Optional permanent redirect to HTTPS per domain/regex
###
if ($host ~* ^(www\.)?((foo|bar)\.com)$) {
return 301 https://$host$request_uri;
}

Make sure that all dots in all aliases are escaped, as shown above.

@=> How to enable permanent redirect to HTTPS with single IP

While it is not possible to force HTTPS-only mode on the Nginx level in this
case because the site doesn't have separate IP and we can't add effectively
duplicate vhost for plain HTTP proxy, you can add in the local.settings.php
file the PHP code shown below:

// redirect start
$base_url = 'https://' . $_SERVER['HTTP_HOST'];
$request_type = ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') ? 'SSL' : 'NONSSL';
if ($request_type != "SSL" && isset($_SERVER['HTTP_USER_AGENT'])) {
if (!preg_match("/(?:x-progress-id|ahah|filefield_nginx_progress\/*|tinybrowser|f?ckeditor)/", $_SERVER['REQUEST_URI']) &&
!preg_match("/(?:tinymce|flowplayer|jwplayer|videomanager|autocomplete|ajax|batch|js\/.*)/", $_SERVER['REQUEST_URI']) &&
!preg_match("/(?:x-progress-id|ahah|filefield_nginx_progress\/*|tinybrowser|f?ckeditor)/", $_SERVER['QUERY_STRING']) &&
!preg_match("/(?:tinymce|flowplayer|jwplayer|videomanager|autocomplete|ajax|batch|js\/.*)/", $_SERVER['QUERY_STRING'])) {
header('X-Accel-Expires: 1');
header("HTTP/1.1 301 Moved Permanently");
header("Location: https://" . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
header("Connection: close");
exit;
}
}
// redirect end

@=> Related issue comments

https://github.com/omega8cc/boa/issues/465#issuecomment-77743643
https://github.com/omega8cc/boa/issues/465#issuecomment-77786301
131 changes: 131 additions & 0 deletions docs/old/SSL.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,131 @@


NOTE ###===>>>

The old how-to shown below is still useful if you prefer to use SSL
termination separated from your Aegir system, or if you don't want to use
built-in Letsencrypt.org SSL certificates support (available since BOA-3.1.0).

But if you can use Letsencrypt.org SSL certificates, or you are willing to use
also built-in BOA feature which allows you to replace Letsencrypt.org SSL
certificate with any third-party certificate per site, while still managing SSL
via Aegir control panel (for redirects, forced/required SSL mode), we highly
recommend to use Aegir built-in SSL support, which is enabled and ready to use
in all Octopus instances since BOA-3.1.0 release.

NOTE ###===>>>


@=> How to add local proxy on the same (TLS/SNI) or dedicated IP address

BOA provides an easy to use tool to generate correct proxy vhosts
for either dedicated IP addresses or default IP address in the TLS/SNI mode.

Note: The proxy vhosts can reside on the same or remote BOA system, when
the target IP address is hosted on a different system than the proxy.

The steps are almost the same for both options, as shown below, and the only
difference is that for proxy listening on the default IP address, both the
dedicated_ip and target_ip columns should list the same, default IP address.

IMPORTANT!

The 'domain_name' is a placeholder for domain name without any prefixes.
Please don't include 'www.' prefix. If you have a wildcard certificate,
don't use the *. prefix in front of 'domain_name'. If you have a multi-domain
certificate, use any domain or subdomain listed in the certificate, but make
sure to not include any prefix.

@=> Prepare the certificate and the private key files

1. Paste your private SSL key in the file /etc/ssl/private/{domain_name}.key

2. Paste your SSL certificate and all intermediate certificates (bundles)
below it in the file /etc/ssl/private/{domain_name}.crt

For more related technical hints check also: https://omega8.cc/ssl-order

@=> Verify that the dedicated IP is active (if expected to be used)

Make sure that your system already has the extra IP address activated,
if expected to be used. Otherwise Nginx will fail to start!

To check if it is active, type as root:

$ hostname -I | grep dedicated_ip

If the output is empty, stop here and set up your networking properly first,
so the dedicated IP will be listed. Explaining how to set up networking
is beyond the scope of this how-to -- please consult your hosting provider
docs and support for assistance, if needed.

@=> Generate HTTPS and HTTP proxy vhosts

1. Create a config file: /root/.ssl.proxy.cnf with one record per line:

domain_name target_ip o1 foo@email dedicated_ip
domain_name target_ip o2 bar@email dedicated_ip

All fields are required and must be separated with a single space.

Make sure that 'domain_name' in the {domain_name}.key and {domain_name}.crt
filenames matches the 'domain_name' in the respective domain first column
in the /root/.ssl.proxy.cnf config file.

To add HTTPS+HTTP proxy on the same IP address, just use the same IP address
both for 'target_ip' and 'dedicated_ip' columns in the respective record.

You can generate both dedicated and TLS/SNI proxy vhosts at the same time.

2. Finally run as root:

$ xboa ssl-gen

3. Point the 'domain_name' DNS to 'dedicated_ip' if different than 'target_ip'

@=> How to enable permanent redirect to HTTPS with dedicated IP

Edit /var/aegir/config/server_master/nginx/pre.d/z_{domain_name}_pln_proxy.conf

Add the extra if{} pseudo-location within the server{} configuration block.

Make sure that regex in the first line lists all aliases you want to
redirect to the HTTPS permanently, as shown in the example below:

###
### Optional permanent redirect to HTTPS per domain/regex
###
if ($host ~* ^(www\.)?((foo|bar)\.com)$) {
return 301 https://$host$request_uri;
}

Make sure that all dots in all aliases are escaped, as shown above.

@=> How to enable permanent redirect to HTTPS with single IP

While it is not possible to force HTTPS-only mode on the Nginx level in this
case because the site doesn't have separate IP and we can't add effectively
duplicate vhost for plain HTTP proxy, you can add in the local.settings.php
file the PHP code shown below:

// redirect start
$base_url = 'https://' . $_SERVER['HTTP_HOST'];
$request_type = ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') ? 'SSL' : 'NONSSL';
if ($request_type != "SSL" && isset($_SERVER['HTTP_USER_AGENT'])) {
if (!preg_match("/(?:x-progress-id|ahah|filefield_nginx_progress\/*|tinybrowser|f?ckeditor)/", $_SERVER['REQUEST_URI']) &&
!preg_match("/(?:tinymce|flowplayer|jwplayer|videomanager|autocomplete|ajax|batch|js\/.*)/", $_SERVER['REQUEST_URI']) &&
!preg_match("/(?:x-progress-id|ahah|filefield_nginx_progress\/*|tinybrowser|f?ckeditor)/", $_SERVER['QUERY_STRING']) &&
!preg_match("/(?:tinymce|flowplayer|jwplayer|videomanager|autocomplete|ajax|batch|js\/.*)/", $_SERVER['QUERY_STRING'])) {
header('X-Accel-Expires: 1');
header("HTTP/1.1 301 Moved Permanently");
header("Location: https://" . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
header("Connection: close");
exit;
}
}
// redirect end

@=> Related issue comments

https://github.com/omega8cc/boa/issues/465#issuecomment-77743643
https://github.com/omega8cc/boa/issues/465#issuecomment-77786301

0 comments on commit 2a1b9cd

Please sign in to comment.