Stable BOA-2.2.3 Release - Full Edition
[project/barracuda.git] / docs / SSL.txt
1
2  How to use multiple IPs on your server, also for your SSL enabled sites?
3
4  You can use a quick and simple recipe, explained below.
5
6
7  1. Use existing or deploy a new site as usual - don't enable SSL features in Aegir.
8
9  2. Create two extra configuration files with contents as shown further below.
10
11     * Replace YO.UR.AEGIR.IP with your Aegir Hostmaster main IP address.
12     * Replace YO.UR.EXTRA.IP1,2,3 etc with correct extra IP addresses.
13     * Paste your SSL key in the file /etc/ssl/private/abc-ssl-enabled-domain.key
14     * Paste your SSL certificate and all intermediate certificates (bundles)
15       in the file /etc/ssl/private/abc-ssl-enabled-domain.crt
16
17  3. Restart Nginx with `service nginx reload` or `service nginx restart`. Done!
18
19
20
21 ###
22 ### Plain HTTP proxy to add more IPs for HTTP connections (START)
23 ###
24 ### CREATE THIS FILE AS: /var/aegir/config/server_master/nginx/pre.d/extra_ip.conf
25 ###
26 upstream extra_ip {
27   server  YO.UR.AEGIR.IP:80;
28 }
29 server {
30   listen                       YO.UR.EXTRA.IP1:80;
31   listen                       YO.UR.EXTRA.IP2:80;
32   listen                       YO.UR.EXTRA.IP3:80;
33   server_name                  _;
34   ###
35   ### Optional permanent redirect to HTTPS per domain/regex
36   ###
37   if ($host ~* ^(www\.)?(foo\.com)$) {
38     rewrite ^ https://$host$uri? permanent;
39   }
40   location / {
41     proxy_pass                 http://extra_ip;
42     proxy_redirect             off;
43     gzip_vary                  off;
44     proxy_set_header           Host              $host;
45     proxy_set_header           X-Real-IP         $remote_addr;
46     proxy_set_header           X-Forwarded-By    $server_addr:$server_port;
47     proxy_set_header           X-Forwarded-For   $proxy_add_x_forwarded_for;
48     proxy_set_header           X-Local-Proxy     $scheme;
49     proxy_pass_header          Set-Cookie;
50     proxy_pass_header          Cookie;
51     proxy_pass_header          X-Accel-Expires;
52     proxy_pass_header          X-Accel-Redirect;
53     proxy_pass_header          X-This-Proto;
54     proxy_connect_timeout      180;
55     proxy_send_timeout         180;
56     proxy_read_timeout         180;
57     proxy_buffer_size          4k;
58     proxy_buffers              4 32k;
59     proxy_busy_buffers_size    64k;
60     proxy_temp_file_write_size 64k;
61     access_log                 off;
62     log_not_found              off;
63   }
64 }
65 ###
66 ### Plain HTTP proxy to add more IPs for HTTP connections (END)
67 ###
68
69
70
71 ###
72 ### Secure HTTPS proxy to add more IPs for HTTPS connections (START)
73 ###
74 ### CREATE THIS FILE AS: /var/aegir/config/server_master/nginx/pre.d/extra_ip_ssl.conf
75 ###
76 upstream extra_ip_ssl {
77   server  YO.UR.AEGIR.IP:80;
78 }
79 ###
80 ### FOR abc-ssl-enabled-domain.com
81 ###
82 server {
83   listen                       YO.UR.EXTRA.IP1:443;
84   server_name                  _;
85   ssl                          on;
86   ssl_certificate              /etc/ssl/private/abc-ssl-enabled-domain.crt;
87   ssl_certificate_key          /etc/ssl/private/abc-ssl-enabled-domain.key;
88   ssl_session_timeout          5m;
89   ssl_protocols                SSLv3 TLSv1 TLSv1.1 TLSv1.2;
90   ssl_ciphers                  RC4:HIGH:!aNULL:!MD5;
91   ssl_prefer_server_ciphers    on;
92   keepalive_timeout            70;
93   ###
94   ### Deny known crawlers.
95   ###
96   if ($is_crawler) {
97     return 403;
98   }
99   location / {
100     proxy_pass                 http://extra_ip_ssl;
101     proxy_redirect             off;
102     gzip_vary                  off;
103     proxy_set_header           Host              $host;
104     proxy_set_header           X-Real-IP         $remote_addr;
105     proxy_set_header           X-Forwarded-By    $server_addr:$server_port;
106     proxy_set_header           X-Forwarded-For   $proxy_add_x_forwarded_for;
107     proxy_set_header           X-Local-Proxy     $scheme;
108     proxy_set_header           X-Forwarded-Proto $scheme;
109     proxy_pass_header          Set-Cookie;
110     proxy_pass_header          Cookie;
111     proxy_pass_header          X-Accel-Expires;
112     proxy_pass_header          X-Accel-Redirect;
113     proxy_pass_header          X-This-Proto;
114     proxy_connect_timeout      180;
115     proxy_send_timeout         180;
116     proxy_read_timeout         180;
117     proxy_buffer_size          4k;
118     proxy_buffers              4 32k;
119     proxy_busy_buffers_size    64k;
120     proxy_temp_file_write_size 64k;
121     access_log                 off;
122     log_not_found              off;
123   }
124 }
125 ###
126 ### FOR xyz-ssl-enabled-domain.com
127 ###
128 server {
129   listen                       YO.UR.EXTRA.IP2:443;
130   server_name                  _;
131   ssl                          on;
132   ssl_certificate              /etc/ssl/private/xyz-ssl-enabled-domain.crt;
133   ssl_certificate_key          /etc/ssl/private/xyz-ssl-enabled-domain.key;
134   ssl_session_timeout          5m;
135   ssl_protocols                SSLv3 TLSv1 TLSv1.1 TLSv1.2;
136   ssl_ciphers                  RC4:HIGH:!aNULL:!MD5;
137   ssl_prefer_server_ciphers    on;
138   keepalive_timeout            70;
139   ###
140   ### Deny known crawlers.
141   ###
142   if ($is_crawler) {
143     return 403;
144   }
145   location / {
146     proxy_pass                 http://extra_ip_ssl;
147     proxy_redirect             off;
148     gzip_vary                  off;
149     proxy_set_header           Host              $host;
150     proxy_set_header           X-Real-IP         $remote_addr;
151     proxy_set_header           X-Forwarded-By    $server_addr:$server_port;
152     proxy_set_header           X-Forwarded-For   $proxy_add_x_forwarded_for;
153     proxy_set_header           X-Local-Proxy     $scheme;
154     proxy_set_header           X-Forwarded-Proto $scheme;
155     proxy_pass_header          Set-Cookie;
156     proxy_pass_header          Cookie;
157     proxy_pass_header          X-Accel-Expires;
158     proxy_pass_header          X-Accel-Redirect;
159     proxy_pass_header          X-This-Proto;
160     proxy_connect_timeout      180;
161     proxy_send_timeout         180;
162     proxy_read_timeout         180;
163     proxy_buffer_size          4k;
164     proxy_buffers              4 32k;
165     proxy_busy_buffers_size    64k;
166     proxy_temp_file_write_size 64k;
167     access_log                 off;
168     log_not_found              off;
169   }
170 }
171 ###
172 ### Secure HTTPS proxy to add more IPs for HTTPS connections (END)
173 ###
174