[obydesign@seedbox]:(11.2kb)~$ sudo grep -r SSLCert /etc/apache2
[sudo] password for obydesign:
/etc/apache2/sites-enabled/default-ssl.conf: SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/apache2/sites-enabled/default-ssl.conf: SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
/etc/apache2/sites-enabled/default-ssl.conf.save: SSLCertificateFile ‘/home/obydesign/Desktop/certs/Acmecert%3A+O%3DLet%27s+Encrypt%2C+CN%3DLet%27s+Encrypt+Authority+X3%2C+C%3DUS.crt’
/etc/apache2/sites-enabled/default-ssl.conf.save: SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
/etc/apache2/sites-enabled/default-ssl.conf.save.1: SSLCertificateFile /home/obydesign/Desktop/certs/Acmecert%3A+O%3DLet%27s+Encrypt%2C+CN%3DLet%27s+Encrypt+Authority+X3%2C+C%3DUS.crt
/etc/apache2/sites-enabled/default-ssl.conf.save.1: SSLCertificateKeyFile /home/obydesign/Desktop/certs/obydesign.net.key
/etc/apache2/sites-available/default-ssl.conf: # SSLCertificateFile directive is needed.
/etc/apache2/sites-available/default-ssl.conf: SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/apache2/sites-available/default-ssl.conf: SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
/etc/apache2/sites-available/default-ssl.conf: # Point SSLCertificateChainFile at a file containing the
/etc/apache2/sites-available/default-ssl.conf: # the referenced file can be the same as SSLCertificateFile
/etc/apache2/sites-available/default-ssl.conf: #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
if i dont run as sudo i get an extra line that i think was added when i originally tried to run sudo box install letsencrypt, that is a command from quickbox.
$ grep -r SSLCert /etc/apache2
grep: /etc/apache2/ssl/site/seedbox.obydesign.net.key: Permission denied
/etc/apache2/sites-enabled/default-ssl.conf: SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/apache2/sites-enabled/default-ssl.conf: SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
/etc/apache2/sites-enabled/default-ssl.conf.save: SSLCertificateFile ‘/home/obydesign/Desktop/certs/Acmecert%3A+O%3DLet%27s+Encrypt%2C+CN%3DLet%27s+Encrypt+Authority+X3%2C+C%3DUS.crt’
/etc/apache2/sites-enabled/default-ssl.conf.save: SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
/etc/apache2/sites-enabled/default-ssl.conf.save.1: SSLCertificateFile /home/obydesign/Desktop/certs/Acmecert%3A+O%3DLet%27s+Encrypt%2C+CN%3DLet%27s+Encrypt+Authority+X3%2C+C%3DUS.crt
/etc/apache2/sites-enabled/default-ssl.conf.save.1: SSLCertificateKeyFile /home/obydesign/Desktop/certs/obydesign.net.key
/etc/apache2/sites-available/default-ssl.conf: # SSLCertificateFile directive is needed.
/etc/apache2/sites-available/default-ssl.conf: SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/apache2/sites-available/default-ssl.conf: SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
/etc/apache2/sites-available/default-ssl.conf: # Point SSLCertificateChainFile at a file containing the
/etc/apache2/sites-available/default-ssl.conf: # the referenced file can be the same as SSLCertificateFile
/etc/apache2/sites-available/default-ssl.conf: #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
[obydesign@seedbox]:(11.2kb)~$
OK, and do you have a virtual host on this machine for the actual web service that it provides? (which I guess is currently only available via HTTP and not HTTPS?)
I am not a ubuntu wiz yet. which file would we need to tell us that? /etc/apache2/000.default.conf? or sites-available, or sites-enabled. Not sure of the differences between these.
How did you set up the web site that this machine hosts?
You said at the beginning that
So, how does it do that? How are the applications mapped to the ports by that server?
It was all automated. I used the quickbox script that installs multiple services like deluge and sabnzbd etc.
Overall I think the most straightforward solution to this would be to use something like the nginx proxy_pass setting, running nginx on the proxy and creating a host for each hostname whose configuration does a proxy_pass to the appropriate port.
For example
server {
listen 443 ssl;
ssl on;
ssl_certificate /etc/letsencrypt/live/obydesign.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/obydesign.net/privkey.pem;
server_name deluge.obydesign.net;
proxy_pass http://192.168.1.20:12345;
}
server {
listen 443 ssl;
ssl on;
ssl_certificate /etc/letsencrypt/live/obydesign.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/obydesign.net/privkey.pem;
server_name jackett.obydesign.net;
proxy_pass http://192.168.1.20:22222;
}
server {
listen 443 ssl;
ssl on;
ssl_certificate /etc/letsencrypt/live/obydesign.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/obydesign.net/privkey.pem;
server_name lidarr.obydesign.net;
proxy_pass http://192.168.1.20:33333;
}
In this case *only the nginx proxy* would need to have the certificate installed or configured, and the other services could just speak plain HTTP on their respective ports.
However maybe pfsense has an official way to set up a reverse proxy like this too.Best to avoid the Google domain forwarding.
Setup normal DNS entries for each host + if you must run hosts on different ports, use a Wildcard cert.
Unsure what benefits alternate ports might provide. No extra security, as anyone visiting an alt port site will likely leak their visit some way into the google infrastructure + end up indexed.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.