I agree with Apache’s recommendation to use mod_alias when you simply need to redirect all traffic in a virtual host somewhere else like in their example. With more complex examples and especially with Certbot which needs to take an approach that in theory works with an arbitrary Apache configuration, I do not agree.

In the case of a virtual host like

<VirtualHost *:80>
  ServerName   example1.com
  ServerAlias  example2.com www.example1.com www.example2.com
</VirtualHost>

Certbot has a few options:

1. We unconditionally redirect all traffic in the virtual host to one of those domains over HTTPS. This is the same as you first example. I don’t think Certbot should be setting up redirects that unexpectedly change the domain though. I expect this will confuse/frustrate users and could in theory even break things because the virtual host could change behavior based on the domain.
2. We duplicate the virtual host block. This may need to be done once for each domain we want a redirect for as I’m not sure if there’s a good way to dynamically change the target of the redirect based on the domain initially requested over HTTP when using mod_alias. We’d then remove all domains we created a new block for from the ServerName or ServerAlias directives in the original block. This is your second example. This results in a lot of duplication and changes to the user’s config as part of setting up the redirect.
3. We use mod_rewrite. This allows us to redirect the traffic to HTTPS by adding a few lines without changing the domain visited or creating duplicate vhosts for the purpose of the redirect.

Hopefully that explanation makes sense. It is true that options 1 or 2 may make more sense for some Apache configurations, but for the sake of simplicity, Certbot always goes with option 3 which I believe to work best in the general case.

Thank you, it is crystal clear now.

I have to say, that I didn’t allow myself to think that someone could have intentions you described, and thus was asking for an example. To me, vhost is the custom part, and include is the common code. Therefore, making from vhosts winnebago containers is just asking for problems due to custom parts creep/split. Again, that is only my preference.

Before continuing, I would like to stress that my http/ssl knowledge is rather limited, plus if I saw httpd.conf files, those were only from the companies I worked for (never worked for a company that was hosting websites, and also didn’t have much to do with IT).

In my last project I decided to use REDIRECT vs. REWRITE, because I read some article that claimed REWRITE potentially may expose more things than REDIRECT (unfortunately, cannot find it anymore, so maybe that is just my memory playing with me). Therefore, apache recommendation for REDIRECT was deemed not just cosmetically nicer, but more secure, and of course simpler to read. That is where I am coming from about preferring REWRITE. That is also what I meant in the previous post that certbot code is having bad logic (if the vhost is simple, e.g., just one TLD, there is no reason to use REWRITE there).

I cannot say that I agree with the argument you are making about two TLDs in one vhost. First, whether we agree on one or the other solution, we are making a decision on behalf of the website owner. Second, in my opinion, your argument is rather a case of having a ‘nicer looking’ (in your opinion) vhost section (not duplicating), vs. having simpler logic vhosts (one vhost serves one purpose - i.e., one TLD, and rest are just aliases, nothing more). In my limited experience, every time I saw more than one TLD in a vhost, it was due to some historical reasons (project name changed, company changed name, was acquired, …). Also, if you assume that one vhost just for the sake of simplicity unifies multiple TLDs but provides different behaviors, you have to also assume that the cost is on the HTML side, where the code must constantly decide which TLD to use… So, that is what sways me into saying that if there are two TLDs in one vhost, the intention (info that certbot is missing) is to unify those, so there is no problem to swap TLD2 to TLD1 when jumping to the ssl part, at the same time the user is conditioned to use forever the new TLD (i.e., 301 error), as such use REDIRECT. This is the case of certbot missing information/intentions,

However, as I said, I don’t have any stats to show that yours or mine assumptions about having multiple TLDs in one vhost are more prevalent, so go with what you know.

I think that we are good now, we both understand all intentions / implications. Also, thank you for taking your time to get me to appreciate more this topic!

For what it’s worth…

I recently went through the process of trying to add a second domain to the same (linode / ubuntu 18.04) server. In my case I attempted to create a second virtual hosts file for the second domain (2 individual virtual hosts config files for the 2 domains). The solution that worked for me was…

[1]: Created a cert.conf configuration file for use to get certs for ip only. (with Apache2 use a2ensite and a2dissite) to enable disable.

• the configuration file contains only port 80 configured virtual hosts (one for each subdomain + one for the primary domain).
• the configuration file contains the virtual hosts config for both domains (in the one, single file).
  [2]: Perform the steps to obtain the certs using certbot
  [3[: Create separate / individual files for each domain (one for each) and add the port 443 (secure) configuration into each domain’s config file along with the original port 80 configuration content.
  [4]: Add redirects as desired

Worked in my case
HTH Someone

With multiple domains using one IP address

1. Register your domain blabla.com in your root server.
2. Telling of your root server that you want to registered a wild card domain, for example:
   *blaba.com.
3. In that way, you can use a lot of domains using your parent domain blaba.com “something.blabla.com”.
4. Create a virtual host file and describe your parent domain blabla.com, and every subdomain.
5. You can use a different root server to register a different domain on one IP address

• vhost: example using one domain with subdomains:

blabla.com

<VirtualHost 192.168.1.15:80>
DocumentRoot “/home/user_name/your_web_project/htdocs”
ServerName blabla.com
ServerAlias www.blabla.com

######################################################################

some.blabla.com

<VirtualHost 192.168.1.15:80>
DocumentRoot “/home/user_name/your_web_project/htdocs”
ServerName some.blabla.com
ServerAlias www.some.blabla.com

When you decide to obtain your two domain on the same IP
you must be obtaining them multiply, or I recommend you one by one.

• Example of multiple
  ./certbot-auto certonly --standalone -d some.blabla.com -d blabla.com

• Example of single using WWW and None WWW
  ./certbot-auto certonly --standalone -d www.blabla.com -d blabla.com

With multiple IP addresses using one domain

Round Robin my friend
Link: https://en.wikipedia.org/wiki/Round-robin_DNS
And when you decide to obtain you cert of your domain blabla.com you will be obtaining the cert without any problem, but the only different cases are that you use two IP addresses.

When you use “dig blalba.com” you will see this if you already describe these two IP addresses in to
your DNS Zone.

;; ANSWER SECTION:
blabla.com. 6791 IN A 0.0.0.0
blabla.com. 6791 IN A 0.0.0.0
Two IP’s for the same domain

You must tell of your root server where you register your domain blabla.com that you use two IP address. And you must describe it, on this domain DNS zone!!!
BR

Brad,

I guess, that will cause an error or rather break HSTS, after all.

Again, assuming that we have a following vhost:

<VirtualHost *:80>
  ServerName   www.example.com
  ServerAlias    example.com
  Redirect         permanent / https://www.example.com/
</VirtualHost>

and we enable HSTS on the SSL side. When someone enters http://example.com, that basically kills HSTS (as far as I understand it), as Redirect changes DNS name before redirecting to HTTPS protocol. I guess, the same will happen if on the ServerAlias line we have something like old-example.com. If my understanding of it is correct, then my previous arguments about having just one Redirect in a combined ServerName/ServerAlias vhost are invalid. Of course, there are two solutions to that (that you have already mentioned). Either to break down that combined vhost into multiple ones, or have multiple Rewrite in that single vhost (you of course already indicated that you don't like those smaller vhosts

Thank you, Jacek

If my understanding of ‘permanent’ is correct, the ‘No’ case will violate HSTS only once, as the browser will take note about that redirect, and will not be hitting HTTP part anymore. Where, your ‘Yes’ case will cause HSTS violation every time a given user will go to that ‘http://example.com.’ Unless I am missing something here.

First, if you check the context of that example, there is no mod_rewrite involved.
Second, both lines are syntactically correct. Your ‘Yes’ line just implies ‘temp’ is used in place of ‘permament’
Third, in both cases, whether 301 or 302 is needed, it is not for apache, but to convey to the browser what your intentions are.
https://httpd.apache.org/docs/current/mod/mod_alias.html#redirect

However, if you think that there are some implications when mod_rewrite is also needed, a link to apache docs would be nice.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.