How do I need to configure apache/certbot for two https sites with only 1 external ip?

Hi There.

I’m currently hosting https://boxer.gs - my personal blog. I’m hosting it at home by forwarding the 443 to my “server” (an old laptop). Recently I obtained an domain which I want to use next to it. As far as my knowledge goes it’s not possible to do that behind a router since ssl need a fixed ip?

I already made a virtual host for this domain (http://k1600gt.nl). If I use https://k1600gt.nl I got a warning that the certificate belongs to boxer.gs which makes sense I guess? boxer.gs uses a letsencrypt certificate.

Machine runs Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-150-generic i686) with apache2
I used to use pound reverse proxy to forward sites to various virtuale hosts but now apache picks up 443 and 80.

So in short: One external IP-address, the https sites using certificates from letsencrypt. Is that possible and if so - is there i manual on how to do that?
Got full control over the laptop and If needed I can always make a vm but then I need to dual nat port 443/80 since my real server is behind a second router which makes things more complicated that it already is (for me that is)

Best Regards
Sjoerd

Hi @Sjoerd72

SSL doesn’t need a fixed ip.

Where runs the second domain? Same laptop? If yes, it’s simple - you need two vHosts, one with ServerName boxer.gs, the other with ServerName k1600gt.nl

If you have two vms, it’s more difficult. The router must switch the traffic.

If you use only one webserver, it’s the standard handling of different vHosts.

1 Like

Hello Juergen,

Running both on the same laptop.
That sound much easier then I imagined.

Regards

1 Like

Then it’s easy. There is no difference if the webserver runs on your laptop or in a datacenter.

The client must find the correct ip, then it’s the job of the webserver to find the correct vHost. Port 80 / port 443 - it’s the same.

Sweet,

Fiddling with the configs as we speak - not doing this on a daily basis so need to dive into the apache-howto’s again :wink:

So… took a bit longer…

I came up with the following 4 configs and it works like a charm. Boxer.gs:80/something/something got redirected to the secure site. Even k1600gt.nl got fully redirected to boxer.gs. Even k1600gt.nl/something/somthing goes to https://boxer.gs/something/something.

Thx!
Regards

(don’t mention the pathnames - still need to fix those but for now it is what it is)

001-boxergs.conf (points to port 80)

<VirtualHost *:80>
    ServerAdmin ***@boxer.gs
    DocumentRoot /var/www/boxer/8120-test
    ServerName boxer.gs
    Redirect permanent / https://boxer.gs/

    <Directory /var/www/boxer/8120-test/>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    RewriteEngine on
    #RewriteCond %{SERVER_NAME} =boxer.gs [OR]
    RewriteCond %{SERVER_NAME} =boxer.gs
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>

001-boxergs-le-ssl.conf

<IfModule mod_ssl.c>
    <VirtualHost *:443>

        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

        ServerAdmin ***@boxer.gs
        ServerName boxer.gs
        DocumentRoot /var/www/boxer/8120-test
        <Directory /var/www/boxer/8120-test/>
                Options Indexes FollowSymLinks
                AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLCertificateFile /etc/letsencrypt/live/boxer.gs/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/boxer.gs/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
    </VirtualHost>
</IfModule>

002-k1600gt.conf

<VirtualHost *:80>
    ServerName k1600gt.nl

    ServerAdmin ***@boxer.gs
    DocumentRoot /var/www/k1600gt/8110_live
    <Directory /var/www/k1600gt/8110_live/>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    RedirectPermanent / https://boxer.gs/

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

002-k1600gt-le-ssl.conf

<IfModule mod_ssl.c>
   <VirtualHost *:443>
        ServerName k1600gt.nl
        ServerAdmin ***@boxer.gs
        DocumentRoot /var/www/k1600gt/8110_live
        <Directory /var/www/k1600gt/8110_live/>
            Options Indexes FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        RedirectPermanent / https://boxer.gs/

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLCertificateFile /etc/letsencrypt/live/k1600gt.nl/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/k1600gt.nl/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
    </VirtualHost>
</IfModule>

I also added the following Headers to the security.conf (best practice?)
Couldn’t really find a good explanation what the X-Robots-Tag does so I hashed it till I understand it better.

Header set X-Frame-Options: "ALLOW-FROM https://boxer.gs/"
Header set Content-Security-Policy: "frame-ancestors https://boxer.gs/"
Header set X-Content-Type-Options nosniff
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy "no-referrer"
#Header set X-Robots-Tag "none"
Header set X-Download-Options "noopen"
Header set X-Permitted-Cross-Domain-Policies "none"

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.