how would i host more than 2 sites on the same port and IP address?

rveerman nginx-forum at forum.nginx.org
Fri Jan 15 03:40:41 UTC 2021


cool :)

i was able to get it to work.
for completeness sake, and for all those looking for an explanation as to
how to get this done properly, i will post my setup to this list now.

sorry if this seems clueless to the members of this list, but please realize
that there are plenty of people out there who are entirely new to the field
of system administration, like i was about 2 weeks ago..

i had to edit /etc/apache2/ports.conf, to resemble this :

<IfModule ssl_module>
        Listen 192.168.178.21:444
        Listen 192.168.178.21:447
</IfModule>

<IfModule mod_gnutls.c>
        Listen 192.168.178.21:444
        Listen 192.168.178.21:447
</IfModule>

and /etc/apache2/sites-enabled/002-mysite.com to resemble this :

<VirtualHost *:444>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com
	ServerName mysite.com

	ServerAdmin rene.veerman at nicer.app
	DocumentRoot /home/rene/data1/htdocs/mysite.com

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn
	LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.443.log
	CustomLog ${APACHE_LOG_DIR}/access.443.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
	<Directory /home/rene/data1/htdocs/mysite.com>
		Options -Indexes -FollowSymLinks
		AllowOverride None
		Require all granted
	</Directory>

	SSLEngine on
	SSLProtocol all -SSLv2 -SSLv3
	SSLHonorCipherOrder on
	SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH
EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4"

  #godaddy supplied SSL keys, rehashed with certbot (see the friendly
manual)
	SSLCertificateFile
/home/rene/data1/certificates/apache-ssl/a8f38c612dbe2a7e.crt
	SSLCertificateKeyFile
/home/rene/data1/certificates/apache-ssl/mysite.com.key
	SSLCertificateChainFile
/home/rene/data1/certificates/apache-ssl/gd_bundle-g2-g1.crt
</VirtualHost>

<VirtualHost *:447>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com
	ServerName v2.mysite.com

	ServerAdmin rene.veerman.netherlands at gmail.com
	DocumentRoot /home/rene/data1/htdocs/mysite.com_v2

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn
	#LogLevel info ssl:warn
	LogLevel debug

	ErrorLog ${APACHE_LOG_DIR}/error.447.log
	CustomLog ${APACHE_LOG_DIR}/access.447.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
	<Directory /home/rene/data1/htdocs/mysite.com_v2>
		AllowOverride None
		Require all granted
	</Directory>

	SSLEngine on
	SSLProtocol all -SSLv2 -SSLv3
	SSLHonorCipherOrder on
	SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH
EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4"

  #simple output of 'certbot certonly v2.mysite.com' (running on port 80 for
the occasion)
	SSLCertificateFile /etc/letsencrypt/live/v2.mysite.com/cert.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/v2.mysite.com/privkey.pem
	SSLCertificateChainFile /etc/letsencrypt/live/v2.mysite.com/fullchain.pem
</VirtualHost>

from there, you can detect if your apache setup is running correctly by
running this command :

netstat -nltp | grep apache

then, there's the nginx setup.. /etc/nginx/sites-enabled/00-default-ssl.conf
:
(mail.mysite.com runs iRedMail on ubuntu 20.04)

server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name mail.mysite.com;
	root /var/www/html;

    index index.php index.html;

    include /etc/nginx/templates/misc.tmpl;
    include /etc/nginx/templates/ssl.tmpl;
    include /etc/nginx/templates/iredadmin.tmpl;
    include /etc/nginx/templates/roundcube.tmpl;
    include /etc/nginx/templates/sogo.tmpl;
    include /etc/nginx/templates/netdata.tmpl;
    include /etc/nginx/templates/php-catchall.tmpl;
    include /etc/nginx/templates/stub_status.tmpl;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name mysite.com;
	root /home/rene/data1/htdocs/mysite.com;

  ssl_certificate /home/rene/data1/certificates/other-ssl/all.crt;
  ssl_certificate_key
/home/rene/data1/certificates/other-ssl/mysite.com.key;

  ssl on;
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;
  ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
  ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128
kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW
!kECDH !DSS !MD5 !RC4 !EXP !PSK !SRP !CAMELLIA !SEED';
  ssl_prefer_server_ciphers on;
  ssl_dhparam /etc/nginx/dhparam.pem;

  location / {
    proxy_pass https://192.168.178.21:444/;
    proxy_redirect off;
    proxy_buffering off;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Ssl on;

  proxy_connect_timeout 159s;
  proxy_send_timeout   60;
  proxy_read_timeout   60;
  send_timeout 60;
  resolver_timeout 60;
  }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name v2.mysite.com;
	root /home/rene/data1/htdocs/mysite.com_v2;

  ssl_certificate /etc/letsencrypt/live/v2.mysite.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/v2.mysite.com/privkey.pem;

  ssl on;
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;
  ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
  ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128
kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW
!kECDH !DSS !MD5 !RC4 !EXP !PSK !SRP !CAMELLIA !SEED';
  ssl_prefer_server_ciphers on;
  ssl_dhparam /etc/nginx/dhparam.pem;

  location / {
    proxy_pass https://192.168.178.21:447/;
    proxy_redirect off;
    proxy_buffering off;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Ssl on;

  proxy_connect_timeout 159s;
  proxy_send_timeout   60;
  proxy_read_timeout   60;
  send_timeout 60;
  resolver_timeout 60;
  }
}

from there, all you need to do is 

ufw allow 443
ufw allow 447

to get the firewall to allow the data through

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,290480,290492#msg-290492



More information about the nginx mailing list