Setting up SSL for One IP and multiple domains

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: whiteyangcastle.ddns.net, pelicanq.myqnapcloud.com

I ran this command:
sudo certbot --apache -d whiteyangcastle.ddns.net -d pelicanq.myqnapcloud.com
Later restore to
sudo certbot --apache -d whiteyangcastle.ddns.net

It produced this output: I did not capture the output. The certificate was restore to whiteyangcastle.ddns.net but I have disable all SSL line in 000-default-le-xxx.conf and add in virtual host for *:80, without SSL.

My web server is (include version): apache 2.4.41, and QNAP QTS 4.4.2.1310

The operating system my web server runs on is (include version): Ubuntu 20.04; Qnap NAS OS, QTS

My hosting provider, if applicable, is: I host both server on the home network

I can login to a root shell on my machine (yes or no, or I don’t know): yes for both

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):0.40

Dear experts,

I am struggling to secure my Ubuntu Webserver along with my Qnap NAS Server and have no luck. Here is what I am trying to setup in my home network.
Host 1: pelicanq.myqnapcloud.com using Qnap default SSL certificate, it can be replaced with LetsEncrypt SSL optionally or self-signed SSL.
Host 2: Ubuntu (20.04) webserver apache 2.4.41 using domain name whiteyangcastle.ddns.net to access

I want both hosts to be accessed through default secure port 443. Currently I port forward all 443 to Host 1 (Qnap) as regular server through my router.

I was able to setup Qnap on port 443 and Ubuntu on port 8082. However, I cannot access Ubuntu from work as my company firewall block all ports other than 443.

Is there anyway to achieve it? One IP two or more domains?
Please advise. Thank you.

Cheers,
Bryan

1 Like

Multiple domains can be served by one IP in several ways.

Option #1: Use one external IP via a single web server to host all the names and content (standalone).
[the default for most web hosting companies - many sites per one host]

Option #2: Use one external IP via a “reverse proxy” to provide individual connections to multiple back-end systems.
[used by anyone who has outgrown the available/required external IPs and port combinations]

Option #3: Use one external IP via a “mixed” scenario; where the TLS termination host handles some sites and content locally, while proxying other sites to their respective back-end systems.
[useful for those that want to handle only certain types on content locally on the “proxy” - like: centralized trusted certificate management]

[there may also be other ways]

In any case, you won’t be able to port forward a single external IP:port combination to multiple internal IPs.
You must use some sort of proxy to reach all other internal IPs needing that same external IP:port access.
[or you could get more external IPs… or you could use other non-standard ports]

2 Likes

Dear expert rg305,

Thank you so much for the feedback. I hope you can help me through this issue. I have reviewed your options.
I would certainly want to go with one external IP and multiple sites on Host 1 (Ubuntu) and still able to connect the QNAP server using it owns SSL and domain name (https://pelicanq.myqnapcloud.com) which will expire in one year. I am thinking to replace the Qnap SSL with LE SSL after expiry, just keep everything as it is for now.
Hence, it seems that I will need reverse proxy solution to provide individual connections to respective multiple back-end systems, at least one is going to QNAP server and other hosts for future expansion. It seems the proxy will host the SSL certificate and able to share with other hosts.
Appreciate if you can advise me on how to setup reverse proxy on the Ubuntu host with SSL and still let QNAP secure connection through using it owns SSL.
Thank you rg305.

Cheers,
Bryan

1 Like

It sounds like you are leaning towards option #2.

The Apache web server you have can serve as the “reverse proxy” for the QNAP connections.
You can either:
[FOR HTTP]

  • terminate the HTTP connections within the Apache system and proxy to QNAP [via HTTP(S)]
  • “forward” the HTTP connections to the QNAP via “stream” (overly complicating the situation)

[FOR HTTPS]

  • terminate the HTTPS connections within the Apache system and proxy to QNAP [via HTTP(S)]
  • “forward” the HTTPS connections to the QNAP via “stream” (overly complicating the situation)

Considerations:

  • Passing HTTP to the QNAP will allow it to handle its’ own LE cert registrations… But…
  • Terminating HTTPS at the Apache system will require for it to also have a valid cert for the QNAP name. [So this requires some thought - How will both systems use the same name or share the same cert? - when both will be validating via the same IP:port and name]
    A “stream” proxy could handle that problem by removing the need for Apache to have a cert for the QNAP name but increases the complexity of the configuration/implementation.
1 Like

Hi rg305,

FYI, QNAP system is having its own cert. Let’s keep it simple in configuration. 1. Can the reverse proxy able to direct all https://pelicanq.myqnapcloud.com to QNAP server and the rest which is https://whiteyangcastle.ddns.net to the Apache system and use LE cert?
2. What is the legitimate way of managing the multiple hosts and one external IP? I am fine with terminating HTTPS at the Apache level and no encryption
when directing all traffic at the back end servers, at least no a concern for now. However, still keep encryption on when going external.

Cheers,
Bryan

1 Like

Yes. But the Apache server will need certs to terminate those TLS connections.

Pretty much anything that “works” is allowed.

That does simplify things.
In this case, the back-end QNAP server will not need a cert.
The Apache server will do all the (external side) encryption for all servers (including QNAP server).
Note: The name should remain the same and any self-referencing links within the QNAP should NOT include the protocol it uses (HTTP/HTTPS).
[it shouldn’t include the protocol… but we must confirm that and can check it once it is fully configured]

So then Apache will have both names.
One name will be served locally.
The other will be reverse proxied from HTTPS on the outside to HTTP on the inside.

Are you ready?

1 Like

Dear expert rg305,

Yes, that will work for me. I am ready for the setup. Please advise. :slight_smile:

Cheers,
Bryan

2 Likes

We will need to redo your Apache config and proceed in this order:

  1. Apache will need two HTTP vhost configs:
    A: pelicanq.myqnapcloud.com [process LE cert requests and redirect all else to HTTPS]
    B: whiteyangcastle.ddn.net [process LE cert requests and redirect all else to HTTPS]

  2. {your ACME client choice - certbot/certbot-auto/acme.sh/other} will need to be installed/configured to obtain certs for both names, auto-renew them, and Apache must be reloaded/restarted after each renewal.

  3. Apache will need two HTTPS vhost configs:
    A: pelicanq.myqnapcloud.com [configured to proxy]
    B: whiteyangcastle.ddn.net

  4. Testing and finalize documentation.

[feel free to start and post your progress here or send to me via DM - this may take a couple of hours]

2 Likes

Hi Master Rudy,

Sorry I am new, may I know how do I ‘DM’ you?
Please advice. Thank you.

Cheers,
Bryan

Click the image (image) by my user “name” (rg305) and then choose image .

2 Likes