docs/SSL.txt

   1
   2  How to use multiple IPs on your server, also for your SSL enabled sites?
   3
   4  You can use a quick and simple recipe, explained below.
   5
   6
   7  1. Use existing or deploy a new site as usual - don't enable SSL features in Aegir.
   8
   9  2. Create two extra configuration files with contents as shown further below.
  10
  11     * Replace YO.UR.AEGIR.IP with your Aegir Hostmaster main IP address.
  12     * Replace YO.UR.EXTRA.IP1,2,3 etc with correct extra IP addresses.
  13     * Paste your SSL key in the file /etc/ssl/private/abc-ssl-enabled-domain.key
  14     * Paste your SSL certificate and all intermediate certificates (bundles)
  15       in the file /etc/ssl/private/abc-ssl-enabled-domain.crt
  16
  17  3. Restart Nginx with `service nginx reload` or `service nginx restart`. Done!
  18
  19
  20
  21 ###
  22 ### Plain HTTP proxy to add more IPs for HTTP connections (START)
  23 ###
  24 ### CREATE THIS FILE AS: /var/aegir/config/server_master/nginx/pre.d/extra_ip.conf
  25 ###
  26 upstream extra_ip {
  27   server  YO.UR.AEGIR.IP:80;
  28 }
  29 server {
  30   listen                       YO.UR.EXTRA.IP1:80;
  31   listen                       YO.UR.EXTRA.IP2:80;
  32   listen                       YO.UR.EXTRA.IP3:80;
  33   server_name                  _;
  34   location / {
  35     proxy_pass                 http://extra_ip;
  36     proxy_redirect             off;
  37     gzip_vary                  off;
  38     proxy_set_header           Host              $host;
  39     proxy_set_header           X-Real-IP         $remote_addr;
  40     proxy_set_header           X-Forwarded-By    $server_addr:$server_port;
  41     proxy_set_header           X-Forwarded-For   $proxy_add_x_forwarded_for;
  42     proxy_set_header           X-Local-Proxy     $scheme;
  43     proxy_pass_header          Set-Cookie;
  44     proxy_pass_header          Cookie;
  45     proxy_pass_header          X-Accel-Expires;
  46     proxy_pass_header          X-Accel-Redirect;
  47     proxy_pass_header          X-This-Proto;
  48     proxy_connect_timeout      300;
  49     proxy_send_timeout         300;
  50     proxy_read_timeout         300;
  51     proxy_buffer_size          4k;
  52     proxy_buffers              4 32k;
  53     proxy_busy_buffers_size    64k;
  54     proxy_temp_file_write_size 64k;
  55     access_log                 off;
  56     log_not_found              off;
  57   }
  58 }
  59 ###
  60 ### Plain HTTP proxy to add more IPs for HTTP connections (END)
  61 ###
  62
  63
  64
  65 ###
  66 ### Secure HTTPS proxy to add more IPs for HTTPS connections (START)
  67 ###
  68 ### CREATE THIS FILE AS: /var/aegir/config/server_master/nginx/pre.d/extra_ip_ssl.conf
  69 ###
  70 upstream extra_ip_ssl {
  71   server  YO.UR.AEGIR.IP:80;
  72 }
  73 ###
  74 ### FOR abc-ssl-enabled-domain.com
  75 ###
  76 server {
  77   listen                       YO.UR.EXTRA.IP1:443;
  78   server_name                  _;
  79   ssl                          on;
  80   ssl_certificate              /etc/ssl/private/abc-ssl-enabled-domain.crt;
  81   ssl_certificate_key          /etc/ssl/private/abc-ssl-enabled-domain.key;
  82   ssl_session_timeout          5m;
  83   ssl_protocols                SSLv3 TLSv1 TLSv1.1 TLSv1.2;
  84   ssl_ciphers                  RC4:HIGH:!aNULL:!MD5;
  85   ssl_prefer_server_ciphers    on;
  86   keepalive_timeout            70;
  87   ###
  88   ### Deny known crawlers.
  89   ###
  90   if ($is_crawler) {
  91     return 403;
  92   }
  93   if ($deny_on_high_load) {
  94     return 503;
  95   }
  96   location / {
  97     proxy_pass                 http://extra_ip_ssl;
  98     proxy_redirect             off;
  99     gzip_vary                  off;
 100     proxy_set_header           Host              $host;
 101     proxy_set_header           X-Real-IP         $remote_addr;
 102     proxy_set_header           X-Forwarded-By    $server_addr:$server_port;
 103     proxy_set_header           X-Forwarded-For   $proxy_add_x_forwarded_for;
 104     proxy_set_header           X-Local-Proxy     $scheme;
 105     proxy_set_header           X-Forwarded-Proto $scheme;
 106     proxy_pass_header          Set-Cookie;
 107     proxy_pass_header          Cookie;
 108     proxy_pass_header          X-Accel-Expires;
 109     proxy_pass_header          X-Accel-Redirect;
 110     proxy_pass_header          X-This-Proto;
 111     proxy_connect_timeout      300;
 112     proxy_send_timeout         300;
 113     proxy_read_timeout         300;
 114     proxy_buffer_size          4k;
 115     proxy_buffers              4 32k;
 116     proxy_busy_buffers_size    64k;
 117     proxy_temp_file_write_size 64k;
 118     access_log                 off;
 119     log_not_found              off;
 120   }
 121 }
 122 ###
 123 ### FOR xyz-ssl-enabled-domain.com
 124 ###
 125 server {
 126   listen                       YO.UR.EXTRA.IP2:443;
 127   server_name                  _;
 128   ssl                          on;
 129   ssl_certificate              /etc/ssl/private/xyz-ssl-enabled-domain.crt;
 130   ssl_certificate_key          /etc/ssl/private/xyz-ssl-enabled-domain.key;
 131   ssl_session_timeout          5m;
 132   ssl_protocols                SSLv3 TLSv1 TLSv1.1 TLSv1.2;
 133   ssl_ciphers                  RC4:HIGH:!aNULL:!MD5;
 134   ssl_prefer_server_ciphers    on;
 135   keepalive_timeout            70;
 136   ###
 137   ### Deny known crawlers.
 138   ###
 139   if ($is_crawler) {
 140     return 403;
 141   }
 142   if ($deny_on_high_load) {
 143     return 503;
 144   }
 145   location / {
 146     proxy_pass                 http://extra_ip_ssl;
 147     proxy_redirect             off;
 148     gzip_vary                  off;
 149     proxy_set_header           Host              $host;
 150     proxy_set_header           X-Real-IP         $remote_addr;
 151     proxy_set_header           X-Forwarded-By    $server_addr:$server_port;
 152     proxy_set_header           X-Forwarded-For   $proxy_add_x_forwarded_for;
 153     proxy_set_header           X-Local-Proxy     $scheme;
 154     proxy_set_header           X-Forwarded-Proto $scheme;
 155     proxy_pass_header          Set-Cookie;
 156     proxy_pass_header          Cookie;
 157     proxy_pass_header          X-Accel-Expires;
 158     proxy_pass_header          X-Accel-Redirect;
 159     proxy_pass_header          X-This-Proto;
 160     proxy_connect_timeout      300;
 161     proxy_send_timeout         300;
 162     proxy_read_timeout         300;
 163     proxy_buffer_size          4k;
 164     proxy_buffers              4 32k;
 165     proxy_busy_buffers_size    64k;
 166     proxy_temp_file_write_size 64k;
 167     access_log                 off;
 168     log_not_found              off;
 169   }
 170 }
 171 ###
 172 ### Secure HTTPS proxy to add more IPs for HTTPS connections (END)
 173 ###
 174