You are not logged in.
Hi!
Because my small private Debian server is the biggest mess ever... I'm migrating a few (~30) vhosts (it's mostly a collection of small tools for private use running on different subdomains) to an Archlinux server and looking for a way to set them up in a simple & orderly manner that will - ideally - be really easy to maintain once it's set up. The Vhosts are (mostly) the same except for the host name and the directory:
* one user (mod_itk) per vhost
* one directory per vhost (could even use a common naming scheme for most)
* one letsencrypt certificate per vhost (if possible... still learning and only tested on debian so far)
My "draft" for a solution so far looks like this:
* make one template for all the config files
* one file that serves as an array with host names and directories tuples
bash script that...:
* creates a user account based on the host name if none exists
* generates one config file for each vhost from the template + array file
* does the certbot thing (that I have yet to figure out) for each vhost separately somehow
and then...:
* I probably need to implement some workarounds for system packaged stuff like p.E. phpmyadmin
My server related knowledge is a "bit" out of date (I was using Debian Woody for a long long time... used some back-ports... did a very messy upgrades to Lenny and later Wheezy... all without changing much of the configurations) and I'm well aware that there might be better / more modern / more vanilla / "arch way" solutions for what I'm trying to do... they're just damn hard to find.
Is there anything I forgot / should be aware of before I invest a lot more time into this (possibly terrible?) solution? If someone could throw the right keywords to "research" my way, that would probably help a lot already...
Offline
I don't have 30 subdomains to manage, but for 5-10, I'm just using (on Debian Jessie, so paths may differ):
* Apache includes (f.e. for SSL information, for general server information and for basic authentication)
* a certbot 'standalone' cron script that is almost vanilla from the package /etc/cron.d/certbot
* Inside each vhost file, I have a minimal section for port 80 with only a 302 Permanent Redirect and the 'general server information'-include to the other section for port 443
With includes, you can manage all fixed information from a few central files (don't forget to reload the configuration after a change), you don't have to worry about certificates at all, and authentication can be managed through a host of solutions (I'm using a mix between LDAP and file-based basic authentication - but only use basic authentication over an encrypted connection!).
HTH,
Vincent
Offline
Oh, thanks!
Forgot to update this thread...
I discovered mod_macro, which is great for my purposes (still a bit buggy when it comes to accesses to non-existent domains port 443, but probably because I'm doing it wrong)... work in progress:
LoadModule macro_module modules/mod_macro.so
# normal way of setting default server didn't seem to work quite right... so ended up with this temporary "fix":
ServerName localhost
<VirtualHost _default_:80>
</VirtualHost>
<VirtualHost _default_:443>
</VirtualHost>
# Template
<Macro VHost $domain>
<VirtualHost *:80>
ServerName $domain
ServerAlias www.$domain
Redirect permanent / https://$domain/
</VirtualHost>
<VirtualHost *:443>
ServerName $domain
DocumentRoot "/www/$domain"
<Directory "/www/$domain">
AllowOverride All
Require all granted
</Directory>
ErrorLog "/var/log/httpd/$domain.error.log"
CustomLog "/var/log/httpd/$domain.access.log" combined
# didn't manage to figure out how to check if the cert exists
# <If "-f '/etc/letsencrypt/live/$domain/cert.pem'">
SSLCertificateFile /etc/letsencrypt/live/$domain/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/$domain/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/$domain/chain.pem
# </If>
</VirtualHost>
</Macro>
# Yay, only one line per (sub)domain!
Use VHost example.com
Use VHost test.example.com
Use VHost web-application.example.com
UndefMacro VHostLetting certbot run over the directory names in /www that don't have a certificate yet was an easy one-liner, too (temporarily killed apache, used standalone server) and since "renew" has its own configs, I don't even have to write a script for that...
I'll probably have to add another variable to the macro with the username for mod_itk because domain names punctuation doesn't work as usernames. Couldn't find a way to regexps the punctuation away from inside an Apache config macro - which might be impossible ... but at the moment I'm too stubborn to admit that, so I'm working on the other workarounds first.
Offline