-
Notifications
You must be signed in to change notification settings - Fork 75
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Move deprecated SSL docs to separate file
- Loading branch information
Showing
2 changed files
with
131 additions
and
131 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,131 @@ | ||
|
||
|
||
NOTE ###===>>> | ||
|
||
The old how-to shown below is still useful if you prefer to use SSL | ||
termination separated from your Aegir system, or if you don't want to use | ||
built-in Letsencrypt.org SSL certificates support (available since BOA-3.1.0). | ||
|
||
But if you can use Letsencrypt.org SSL certificates, or you are willing to use | ||
also built-in BOA feature which allows you to replace Letsencrypt.org SSL | ||
certificate with any third-party certificate per site, while still managing SSL | ||
via Aegir control panel (for redirects, forced/required SSL mode), we highly | ||
recommend to use Aegir built-in SSL support, which is enabled and ready to use | ||
in all Octopus instances since BOA-3.1.0 release. | ||
|
||
NOTE ###===>>> | ||
|
||
|
||
@=> How to add local proxy on the same (TLS/SNI) or dedicated IP address | ||
|
||
BOA provides an easy to use tool to generate correct proxy vhosts | ||
for either dedicated IP addresses or default IP address in the TLS/SNI mode. | ||
|
||
Note: The proxy vhosts can reside on the same or remote BOA system, when | ||
the target IP address is hosted on a different system than the proxy. | ||
|
||
The steps are almost the same for both options, as shown below, and the only | ||
difference is that for proxy listening on the default IP address, both the | ||
dedicated_ip and target_ip columns should list the same, default IP address. | ||
|
||
IMPORTANT! | ||
|
||
The 'domain_name' is a placeholder for domain name without any prefixes. | ||
Please don't include 'www.' prefix. If you have a wildcard certificate, | ||
don't use the *. prefix in front of 'domain_name'. If you have a multi-domain | ||
certificate, use any domain or subdomain listed in the certificate, but make | ||
sure to not include any prefix. | ||
|
||
@=> Prepare the certificate and the private key files | ||
|
||
1. Paste your private SSL key in the file /etc/ssl/private/{domain_name}.key | ||
|
||
2. Paste your SSL certificate and all intermediate certificates (bundles) | ||
below it in the file /etc/ssl/private/{domain_name}.crt | ||
|
||
For more related technical hints check also: https://omega8.cc/ssl-order | ||
|
||
@=> Verify that the dedicated IP is active (if expected to be used) | ||
|
||
Make sure that your system already has the extra IP address activated, | ||
if expected to be used. Otherwise Nginx will fail to start! | ||
|
||
To check if it is active, type as root: | ||
|
||
$ hostname -I | grep dedicated_ip | ||
|
||
If the output is empty, stop here and set up your networking properly first, | ||
so the dedicated IP will be listed. Explaining how to set up networking | ||
is beyond the scope of this how-to -- please consult your hosting provider | ||
docs and support for assistance, if needed. | ||
|
||
@=> Generate HTTPS and HTTP proxy vhosts | ||
|
||
1. Create a config file: /root/.ssl.proxy.cnf with one record per line: | ||
|
||
domain_name target_ip o1 foo@email dedicated_ip | ||
domain_name target_ip o2 bar@email dedicated_ip | ||
|
||
All fields are required and must be separated with a single space. | ||
|
||
Make sure that 'domain_name' in the {domain_name}.key and {domain_name}.crt | ||
filenames matches the 'domain_name' in the respective domain first column | ||
in the /root/.ssl.proxy.cnf config file. | ||
|
||
To add HTTPS+HTTP proxy on the same IP address, just use the same IP address | ||
both for 'target_ip' and 'dedicated_ip' columns in the respective record. | ||
|
||
You can generate both dedicated and TLS/SNI proxy vhosts at the same time. | ||
|
||
2. Finally run as root: | ||
|
||
$ xboa ssl-gen | ||
|
||
3. Point the 'domain_name' DNS to 'dedicated_ip' if different than 'target_ip' | ||
|
||
@=> How to enable permanent redirect to HTTPS with dedicated IP | ||
|
||
Edit /var/aegir/config/server_master/nginx/pre.d/z_{domain_name}_pln_proxy.conf | ||
|
||
Add the extra if{} pseudo-location within the server{} configuration block. | ||
|
||
Make sure that regex in the first line lists all aliases you want to | ||
redirect to the HTTPS permanently, as shown in the example below: | ||
|
||
### | ||
### Optional permanent redirect to HTTPS per domain/regex | ||
### | ||
if ($host ~* ^(www\.)?((foo|bar)\.com)$) { | ||
return 301 https://$host$request_uri; | ||
} | ||
|
||
Make sure that all dots in all aliases are escaped, as shown above. | ||
|
||
@=> How to enable permanent redirect to HTTPS with single IP | ||
|
||
While it is not possible to force HTTPS-only mode on the Nginx level in this | ||
case because the site doesn't have separate IP and we can't add effectively | ||
duplicate vhost for plain HTTP proxy, you can add in the local.settings.php | ||
file the PHP code shown below: | ||
|
||
// redirect start | ||
$base_url = 'https://' . $_SERVER['HTTP_HOST']; | ||
$request_type = ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') ? 'SSL' : 'NONSSL'; | ||
if ($request_type != "SSL" && isset($_SERVER['HTTP_USER_AGENT'])) { | ||
if (!preg_match("/(?:x-progress-id|ahah|filefield_nginx_progress\/*|tinybrowser|f?ckeditor)/", $_SERVER['REQUEST_URI']) && | ||
!preg_match("/(?:tinymce|flowplayer|jwplayer|videomanager|autocomplete|ajax|batch|js\/.*)/", $_SERVER['REQUEST_URI']) && | ||
!preg_match("/(?:x-progress-id|ahah|filefield_nginx_progress\/*|tinybrowser|f?ckeditor)/", $_SERVER['QUERY_STRING']) && | ||
!preg_match("/(?:tinymce|flowplayer|jwplayer|videomanager|autocomplete|ajax|batch|js\/.*)/", $_SERVER['QUERY_STRING'])) { | ||
header('X-Accel-Expires: 1'); | ||
header("HTTP/1.1 301 Moved Permanently"); | ||
header("Location: https://" . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']); | ||
header("Connection: close"); | ||
exit; | ||
} | ||
} | ||
// redirect end | ||
|
||
@=> Related issue comments | ||
|
||
https://github.com/omega8cc/boa/issues/465#issuecomment-77743643 | ||
https://github.com/omega8cc/boa/issues/465#issuecomment-77786301 |