~ekez/negativefour

ref: a3ba218efef2773e5826b94d9ca3c096795b3ddc negativefour/docs/multiple-sites-one-host.md -rw-r--r-- 5.7 KiB
a3ba218eZeke Medley Fix race condition between apache restart and status check 8 months ago

#Serving multiple webpages from one server

I found this guide covered the process very well.

The only change that I made was that instead of storing webpages in /var/www/ I instead chose to store them in /home/admin/www as that way root is not required to add a new webpage. This meant that I needed to add the following to /etc/apache2/apache2.conf:

# We store our html folders in /home/admin as I don't want to have to
# be root in order to add new files. Here we enable access to that
# directory.
<Directory /home/admin/www/>
	Options Indexes FollowSymLinks
	AllowOverride None
	Require all granted
</Directory>

#Configuring SSL

  1. Follow the directions for getting a cert here.
  2. Having done that modify the VirtualHost configuration for servers to include one listening on port 443 (https).
    <IfModule mod_ssl.c>
    <VirtualHost *:443>
          ServerAdmin zekemedley@gmail.com
          ServerName bike.negativefour.com
          DocumentRoot /home/admin/www/html/bike.negativefour.com
          DirectoryIndex index.html
          ErrorLog ${APACHE_LOG_DIR}/bike.negativefour.com_error.log
          CustomLog ${APACHE_LOG_DIR}/bike.negativefour.com_access.log combined
    
          SSLCertificateFile /etc/letsencrypt/live/negativefour.com/fullchain.pem
          SSLCertificateKeyFile /etc/letsencrypt/live/negativefour.com/privkey.pem
          Include /etc/letsencrypt/options-ssl-apache.conf
    </VirtualaHost>
    </IfModule>
    
  3. If that does not make things work also try enabling the ssl module for apache2. Something like sudo a2enmod ssl ought to work.
  4. The location of the certificates that are installed can be determined by running sudo certbot certificates.

#Signing SSL when you do not control the DNS

If we want to allow users to use custom domains with our service we need to be able to sign SSL certificates for those custom domains. For example, if I want to serve zmedley.com instead of using zeke.negativefour.com the webserver needs to have a certificate that says it can serve zmedley.com.

For wildcard domains the way that these certificates are issued is that you prove you control the DNS settings by making some changes and letting the CA observe them. For non-wildcard domains it is not that complicated and all you need to do is prove that you control the webpage by placing a file on it.

As such, if a user were to register a custom domain with us the process would be as follows:

  1. User tells us the name of their custom domain.
  2. User adds an A record pointing to our IP address.
  3. Once the A record has been added we issue a cert as the website will now resolve to us.

#Running on multiple ports for hidden service compatability

Tor hidden services map an external port to an internal one. They do not have a "HOST" header which might tell us what webapge to serve. As such we need to run each webpage on two ports. Port 80 for external connections and then a unique internal port which we will use for our hidden service.

The additional config for this looks something like:

Listen 3002

<VirtualHost *:80 127.0.0.1:3002>

The Listen 3002 line tells apache to listen for connections on that port and the 127.0.0.1:3002 says that this VirtualHost runs on that localhost port.

The behavior of this "use the loopback" address is interesting. The webapge will not be served on <external ip>:3002 but as apache is listening on that address visiting <external ip>:3002 will show the default apache landing page. We should make sure that only port 80 is open in our firewall settings.

#Hooking up hidden services manually

To expose running VirtualHosts as tor hidden services we can add lines to our torrc that look something like this:

HiddenServiceDir /var/lib/tor/fish.negativefour.com/
HiddenServicePort 80 127.0.0.1:3002

HiddenServiceDir /var/lib/tor/bike.negativefour.com/
HiddenServicePort 80 127.0.0.1:3001

The .union address of these running services will then be located in /var/lib/tor/fish.negativefour.com/hostname and /var/lib/tor/bike.negativefour.com/hostname respectively.

#Union Location configuration

The Tor project has excellent documentation about this here.

TL;DR - run sudo a2enmod headers rewrite then add a line like the following to the https VirtualHost:

Header set Onion-Location "http://cdayss42pmtf3i2zogkdjefjhnzkzplukx4vwg7jwf2twz62h4qde3id.onion%{REQUEST_URI}s"

#Default Server Configuration

If we do not make modifications to the default server if no match is found for a HOST header then apache2 will serve the first matching (port wise) server it saw alphabetically. This is less than ideal. In order to fix this we replace 000-default.conf with the following config:

<VirtualHost *:80>
	     Redirect 301 / https://negativefour.com/
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
	     Redirect 301 / https://negativefour.com
	     SSLCertificateFile /etc/letsencrypt/live/negativefour.app/fullchain.pem
	     SSLCertificateKeyFile /etc/letsencrypt/live/negativefour.app/privkey.pem
	     Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

As 0 is very high up in the alphabet this will always be the first match and redirect bad requests to https://negativefour.com.

#Useful facts

  • The config for a site is stored in /etc/apache2/sites-available/bike.negativefour.com.conf
  • The html for a site is stored in /home/admin/www/html/bike.negativefour.com
  • Remember to run sudo a2ensite <SITE NAME> to enable apache serving the webpage.