cool :)
i was able to get it to work.
for completeness sake, and for all those looking for an explanation as to how to get this done properly, i will post my setup to this list now.
sorry if this seems clueless to the members of this list, but please realize that there are plenty of people out there who are entirely new to the field of system administration, like i was about 2 weeks ago..
i had to edit /etc/apache2/ports.conf, to resemble this :
<IfModule ssl_module>
Listen 192.168.178.21:444
Listen 192.168.178.21:447
</IfModule>
<IfModule mod_gnutls.c>
Listen 192.168.178.21:444
Listen 192.168.178.21:447
</IfModule>
and /etc/apache2/sites-enabled/002-mysite.com to resemble this :
<VirtualHost *:444>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerName mysite.com
ServerAdmin rene.veerman@nicer.app
DocumentRoot /home/rene/data1/htdocs/mysite.com
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.443.log
CustomLog ${APACHE_LOG_DIR}/access.443.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
<Directory /home/rene/data1/htdocs/mysite.com>
Options -Indexes -FollowSymLinks
AllowOverride None
Require all granted
</Directory>
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4"
#godaddy supplied SSL keys, rehashed with certbot (see the friendly manual)
SSLCertificateFile /home/rene/data1/certificates/apache-ssl/a8f38c612dbe2a7e.crt
SSLCertificateKeyFile /home/rene/data1/certificates/apache-ssl/mysite.com.key
SSLCertificateChainFile /home/rene/data1/certificates/apache-ssl/gd_bundle-g2-g1.crt
</VirtualHost>
<VirtualHost *:447>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerName v2.mysite.com
ServerAdmin rene.veerman.netherlands@gmail.com
DocumentRoot /home/rene/data1/htdocs/mysite.com_v2
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
#LogLevel info ssl:warn
LogLevel debug
ErrorLog ${APACHE_LOG_DIR}/error.447.log
CustomLog ${APACHE_LOG_DIR}/access.447.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
<Directory /home/rene/data1/htdocs/mysite.com_v2>
AllowOverride None
Require all granted
</Directory>
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4"
#simple output of 'certbot certonly v2.mysite.com' (running on port 80 for the occasion)
SSLCertificateFile /etc/letsencrypt/live/v2.mysite.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/v2.mysite.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/v2.mysite.com/fullchain.pem
</VirtualHost>
from there, you can detect if your apache setup is running correctly by running this command :
netstat -nltp | grep apache
then, there's the nginx setup.. /etc/nginx/sites-enabled/00-default-ssl.conf :
(mail.mysite.com runs iRedMail on ubuntu 20.04)
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mail.mysite.com;
root /var/www/html;
index index.php index.html;
include /etc/nginx/templates/misc.tmpl;
include /etc/nginx/templates/ssl.tmpl;
include /etc/nginx/templates/iredadmin.tmpl;
include /etc/nginx/templates/roundcube.tmpl;
include /etc/nginx/templates/sogo.tmpl;
include /etc/nginx/templates/netdata.tmpl;
include /etc/nginx/templates/php-catchall.tmpl;
include /etc/nginx/templates/stub_status.tmpl;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mysite.com;
root /home/rene/data1/htdocs/mysite.com;
ssl_certificate /home/rene/data1/certificates/other-ssl/all.crt;
ssl_certificate_key /home/rene/data1/certificates/other-ssl/mysite.com.key;
ssl on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !RC4 !EXP !PSK !SRP !CAMELLIA !SEED';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
location / {
proxy_pass https://192.168.178.21:444/;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
proxy_connect_timeout 159s;
proxy_send_timeout 60;
proxy_read_timeout 60;
send_timeout 60;
resolver_timeout 60;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name v2.mysite.com;
root /home/rene/data1/htdocs/mysite.com_v2;
ssl_certificate /etc/letsencrypt/live/v2.mysite.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/v2.mysite.com/privkey.pem;
ssl on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !RC4 !EXP !PSK !SRP !CAMELLIA !SEED';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
location / {
proxy_pass https://192.168.178.21:447/;
proxy_redirect off;
proxy_buffering off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
proxy_connect_timeout 159s;
proxy_send_timeout 60;
proxy_read_timeout 60;
send_timeout 60;
resolver_timeout 60;
}
}
from there, all you need to do is
ufw allow 443
ufw allow 447
to get the firewall to allow the data through
