Differences

This shows you the differences between two versions of the page.

--- debian:proxy-server-debian:reverseproxy-debian [2017/09/19 16:06] – [Hinzufügen der eigenen Virtual-Hosts] michael
+++ debian:proxy-server-debian:reverseproxy-debian [2017/10/27 17:05] (current) – [Bereinigen der Virtual-Hosts] michael
@@ Line 1: / Line 1: @@
 ====== Reverse Proxy Installation auf Debian / Ubuntu ======
-Als Grundlage für den Reverse Proxy wurde ein **Ubuntu 16.04** aufgesetzt. Im folgenden werden alle Schritte nach der fertigen OS Installation zum einrichten des Proxys beschrieben.
+Als Grundlage für den hier zu installierenden Reverse Proxy wurde ein **Ubuntu 16.04** aufgesetzt. Im folgenden werden alle Schritte nach der fertigen OS Installation zum einrichten des Proxys beschrieben.
 **Was ist ein Reverse Proxy?** //Grundsätzlich handelt es sich bei einem Proxy um eine Kommunikationsschnittstelle im Netzwerk, die Anfragen entgegennimmt und stellvertretend an einen Zielrechner weiterleitet. Ein Reverse Proxy wird nun aber meistens als zusätzliche Sicherheitskomponente vor einen oder mehrere Webserver geschaltet, um Anfragen aus dem Internet stellvertretend entgegen-zunehmen und an einen Backend-Server im Hintergrund weiterzuleiten.
@@ Line 11: / Line 11: @@
 </WRAP>
-**[[http://www.fit-pc.com/web/products/ipc3/|Weitere interessante Hardware für standalone Proxies (Falls kein Odroid gebraucht wird)]]**
+**[[http://www.fit-pc.com/web/products/ipc3/|Interessante Hardware für standalone Proxies]]**
 ----
@@ Line 47: / Line 47: @@
 ----
+<WRAP center box 100%>
 ===== Installation der Grundkomponenten =====
 Zu Beginn werden erst einmal alle Grundpakete, welche zum einrichten unseres Proxys gebraut werden installiert. <wrap em>ACHTUNG: Das Paket "''<wrap em>libapache2-mod-proxy-html</wrap>''" ist bei ''<wrap em>Ubuntu 16.04</wrap>'' schon in der Base Installation enthalten!</wrap>
@@ Line 73: / Line 75: @@
 # git clone https://github.com/letsencrypt/letsencrypt
 </code>
+</WRAP>
 ----
 ===== Konfigurieren der Virtual-Hosts =====
-Nun wenn wir die Basis der gebrauchten Pakete installiert haben, können wir im nächsten Schritt die Virtual-Hosts unseres Reverse Proxys definieren. Bei diesem Schritt, ist es **wichtig**, dass wir anfangs nur die //proxy_http.conf// aktivieren, da in der //proxy_http**s**.conf// bereits bei allen Virtual-Host der Zertifikatspfad angegeben ist, würde dies zu einem kritischen Fehler beim restarten des Webservers führen.
+Nun wenn wir die Basis der gebrauchten Pakete installiert haben, können wir im nächsten Schritt die Virtual-Hosts unseres Reverse Proxys definieren. Bei diesem Schritt, ist es **wichtig**, dass wir anfangs nur die //proxy_http.conf// aktivieren, da in der //proxy_http**s**.conf// bereits bei allen Virtual-Host der Zertifikatspfad angegeben ist, würde dies zu einem kritischen Fehler beim restarten des Webservers führen, da zum jetzigen Zeitpunkt noch keine SSL Zertifikate existieren, welche jedoch dort eingebunden würden..
 ==== Bereinigen der Virtual-Hosts ====
@@ Line 93: / Line 97: @@
 <WRAP center box 100%>
 ==== Hinzufügen der eigenen Virtual-Hosts ====
-Nun werden alle nachfolgenden Virtual-Host-files, welche vom Proxy gebrauchten auf das System nach **/etc/apache2/sites-available/** kopiert.
+Nun können auch schon bereits die eigenen Virtual-Host-files, welche später vom Proxy gebraucht werden auf dem System unter **/etc/apache2/sites-available/** erstellt werden.
-<wrap em>//Stand letzte Sicherung der files vom 17.März 2017//</wrap>
+''<wrap em>ACHTUNG: Folgene Virtual-Host sind reine Beispiele und müssen dementsprechend noch durch richtige Domainnamen ergänzt, abgeändert werden.</wrap>''
+''//Alle anzupassenden Zeilen sind Blau markiert! PS: EXAMPLE.COM wird durch eigenen Domain-namen ersetzt!//''
 ----
-=== blackgate.org.conf: ===
+=== EXAMPLE.COM.conf: ===
 <code>
-# vim /etc/apache2/sites-available/blackgate.org.conf
+# vim /etc/apache2/sites-available/EXAMPLE.COM.conf
 </code>
-<sxh bash; first-line: 1>
+<sxh bash; first-line: 1; highlight: [5]>
 <VirtualHost *:80>
-# ServerName blackgate.org
+# ServerName example.com
 ServerName localhost
  #
-   ServerAdmin michael.r467@gmail.com
+   ServerAdmin admin@example.com
    DocumentRoot /var/www/html
  #
@@ Line 124: / Line 130: @@
 </code>
-<sxh bash; first-line: 1>
+<sxh bash; first-line: 1; highlight: [5,7,16,18-26]>
 #------------------------------------------------------------------------------------------------
 #                             REDIRECTION FOR NON EXISTENT SUBDOMAINS
 #------------------------------------------------------------------------------------------------
 <VirtualHost *:80>
-    ServerName blackgate.org
+    ServerName example.com
     RewriteEngine On
-    RewriteRule ^/?(.*) https://www.blackgate.org/$1 [R,L]
+    RewriteRule ^/?(.*) https://www.example.com/$1 [R,L]
 </VirtualHost>
 #------------------------------------------------------------------------------------------------
-<VirtualHost *:80>
-    ServerName plexdash.com
-    RewriteEngine On
-    RewriteRule ^/?(.*) https://www.plexdash.com/$1 [R,L]
-</VirtualHost>
@@ Line 145: / Line 146: @@
 #------------------------------------------------------------------------------------------------
 <VirtualHost *:80>
- ServerName blackgate.org
+ ServerName example.com
  #
-     ServerAdmin michael.r467@gmail.com
+     ServerAdmin admin@example.com
-     ServerAlias www.blackgate.org
+     ServerAlias www.example.com
-     ServerAlias su-login.blackgate.org
-     ServerAlias serv.blackgate.org
-     ServerAlias piwik.blackgate.org
-     ServerAlias plexpy.blackgate.org
+     ServerAlias piwik.example.com
-     ServerAlias plexdash.blackgate.org
+     ServerAlias cloud.example.com
-     ServerAlias emby.blackgate.org
-     ServerAlias stream.blackgate.org
-     ServerAlias request.blackgate.org
-     ServerAlias cloud.blackgate.org
+     ServerAlias wiki.example.com
-     ServerAlias ucloud.blackgate.org
+     ServerAlias test.example.com
-     ServerAlias wiki.blackgate.org
-     ServerAlias index.blackgate.org
-     ServerAlias xxx.blackgate.org
-     ServerAlias test.blackgate.org
      RewriteEngine On
      RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
 </VirtualHost>
-<VirtualHost *:80>
- ServerName plexdash.com
- #
-     ServerAdmin michael.r467@gmail.com
-     ServerAlias www.plexdash.com
-     ServerAlias demo.plexdash.com
-     ServerAlias get.plexdash.com
-     RewriteEngine On
-     RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
-</VirtualHost>
-#------------------------------------------------------------------------------------------------
-#                                       WEITERE DIENSTE
-#------------------------------------------------------------------------------------------------
-<VirtualHost *:80>
- ServerName 83.150.6.68
- #
-     ProxyPreserveHost On
-     ProxyRequests off
-     ProxyPass / http://www.google.ch/
-     ProxyPassReverse / http://www.google.ch/
-</VirtualHost>
-<VirtualHost *:80>
- ServerName test.blackgate.org
- #
-     ProxyPreserveHost On
-     ProxyRequests off
-     ProxyPass / http://192.168.1.21/
-     ProxyPassReverse / http://192.168.1.21/
- # !!!Wenn ohne HTTPS erwünst ist.
- #    <Proxy http://192.168.1.21/>
- #        Require all granted
- #    </Proxy>
-</VirtualHost>
 </sxh>
@@ Line 217: / Line 166: @@
-=== proxy_https_blackgate.conf: ===
+=== proxy_https.conf: ===
 <code>
-# vim /etc/apache2/sites-available/proxy_https_blackgate.conf
+# vim /etc/apache2/sites-available/proxy_https.conf
 </code>
-<sxh bash; first-line: 1>
+<sxh bash; first-line: 1; highlight: [6,7,12,27,38-39,41,48,56-57,61,68,81-82,84,91,102-103,106,112,120-121,123,133,142]>
 <IfModule mod_ssl.c>
+#------------------------------------------------------------------------------------------------
+#                                VARIABLES and GENERAL SETTINGS
+#------------------------------------------------------------------------------------------------
+define blackgate_serveradmin "admin@example.com"
+define blackgate_ssl_path "/etc/letsencrypt/live/blackgate.org-0001"
+SSLCompression off
+SSLUseStapling on
+SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
+SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparam.pem"
+# Requires Apache >= 2.4.11
+SSLSessionTickets Off
+#SSLCipherSuite "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
+SSLCipherSuite "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
+SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
+Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
 #------------------------------------------------------------------------------------------------
 #                                       MAIN SERVICES
 #------------------------------------------------------------------------------------------------
 <VirtualHost *:443>
- ServerName www.blackgate.org
+ ServerName www.example.com
  #
-     ServerAdmin michael.r467@gmail.com
+     ServerAdmin ${blackgate_serveradmin}
      SSLEngine on
-     SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+     SSLCertificateFile ${blackgate_ssl_path}/cert.pem
-     SSLProtocol All -SSLv2 -SSLv3
+     SSLCertificateKeyFile ${blackgate_ssl_path}/privkey.pem
-     Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
+     SSLCertificateChainFile ${blackgate_ssl_path}/chain.pem
-     SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem
-     SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem
-     SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem
      ProxyPass /error_docs !
      ErrorDocument 503 /error_docs/ServiceUnavailable.html
-     ProxyPass 		/netdata http://192.168.1.23:19999/
+     ProxyPass      / http://192.168.1.21/
-     ProxyPassReverse 	/netdata http://192.168.1.23:19999/
+     ProxyPassReverse   / http://192.168.1.21/
-     ProxyPass 		/ http://192.168.1.21/
-     ProxyPassReverse 	/ http://192.168.1.21/
-     <Proxy http://192.168.1.23:19999/>
-             Order deny,allow
-             Allow from all
-     </Proxy>
      <Proxy http://192.168.1.21/>
              Order deny,allow
@@ Line 259: / Line 218: @@
      </Proxy>
 </VirtualHost>
-<VirtualHost *:443>
-     ServerName su-login.blackgate.org
-     #
-     ServerAdmin michael.r467@gmail.com
-     SSLEngine on
-     SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
-     SSLProtocol All -SSLv2 -SSLv3
-     Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
-     SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem
-     SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem
-     SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem
-     RewriteEngine On
-     RewriteCond %{HTTP:Upgrade} =websocket [NC]
-     RewriteRule /(.*)ws://192.168.1.11:8080/guacamole/$1 [P,L]
-     RewriteCond %{HTTP:Upgrade} !=websocket [NC]
-     RewriteRule /(.*)http://192.168.1.11:8080/guacamole/$1 [P,L]
-     ProxyPass / http://192.168.1.11:8080/guacamole/ flushpackets=On
-     ProxyPassReverse / http://192.168.1.11:8080/guacamole/
-     ProxyPassReverseCookiePath /guacamole /
-     <Proxy *>
-             Order deny,allow
-             Allow from all
-     </Proxy>
-</VirtualHost>
 <VirtualHost *:443>
- ServerName serv.blackgate.org
+ ServerName piwik.example.com
  #
-     ServerAdmin michael.r467@gmail.com
+     ServerAdmin ${blackgate_serveradmin}
      SSLEngine on
-     SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+     SSLCertificateFile ${blackgate_ssl_path}/cert.pem
-     SSLProtocol All -SSLv2 -SSLv3
+     SSLCertificateKeyFile ${blackgate_ssl_path}/privkey.pem
-     Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
+     SSLCertificateChainFile ${blackgate_ssl_path}/chain.pem
-     SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem
-     SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem
+     ProxyPass / http://192.168.1.11:8080/
-     SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem
+     ProxyPassReverse / http://192.168.1.11:8080/
-     ProxyPass / http://192.168.1.21:5066/
-     ProxyPassReverse / http://192.168.1.21:5066/
+     ProxyPreserveHost On
-     <Proxy http://192.168.1.21:5066/>
+     <Proxy http://192.168.1.11:8080/>
              Order deny,allow
              Allow from all
      </Proxy>
 </VirtualHost>
 <VirtualHost *:443>
- ServerName piwik.blackgate.org
+ ServerName cloud.example.com
  #
-     ServerAdmin michael.r467@gmail.com
+     ServerAdmin ${blackgate_serveradmin}
      SSLEngine on
-     SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+     SSLCertificateFile ${blackgate_ssl_path}/cert.pem
-     SSLProtocol All -SSLv2 -SSLv3
+     SSLCertificateKeyFile ${blackgate_ssl_path}/privkey.pem
-     Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
+     SSLCertificateChainFile ${blackgate_ssl_path}/chain.pem
-     SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem
-     SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem
-     SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem
-     ProxyPass / http://127.0.0.1/
-     ProxyPassReverse / http://127.0.0.1/
-     <Proxy http://127.0.0.1/>
-             Order deny,allow
-             Allow from all
-     </Proxy>
-</VirtualHost>
-<VirtualHost *:443>
- ServerName emby.blackgate.org
- #
-     ServerAdmin michael.r467@gmail.com
-     SSLEngine on
-     SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
-     SSLProtocol All -SSLv2 -SSLv3
-     Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
-     SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem
-     SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem
-     SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem
-     ProxyPass / http://192.168.1.19:8096/
-     ProxyPassReverse / http://192.168.1.19:8096/
-     <Proxy http://192.168.1.19:8096/>
-             Order deny,allow
-             Allow from all
-     </Proxy>
-</VirtualHost>
-#------------------------------------------------------------------------------------------------
-#                                       PLEX SERVICES
-#------------------------------------------------------------------------------------------------
-<VirtualHost *:443>
- ServerName plexpy.blackgate.org
- #
-     ServerAdmin michael.r467@gmail.com
-     SSLEngine on
-     SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
-     SSLProtocol All -SSLv2 -SSLv3
-     Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
-     SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem
-     SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem
-     SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem
-     ProxyPass / http://192.168.1.23:8181/
-     ProxyPassReverse / http://192.168.1.23:8181/
-     <Proxy http://192.168.1.23:8181/>
-             Order deny,allow
-             Allow from all
-     </Proxy>
-</VirtualHost>
-<VirtualHost *:443>
- ServerName plexdash.blackgate.org
- #
-     ServerAdmin michael.r467@gmail.com
-     SSLEngine on
-     SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
-     SSLProtocol All -SSLv2 -SSLv3
-     Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
-     SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem
-     SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem
-     SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem
-     ProxyPass / http://192.168.1.23/plexDash/
-     ProxyPassReverse / http://192.168.1.23/plexDash/
-</VirtualHost>
-<VirtualHost *:443>
- ServerName request.blackgate.org
- #
-     ServerAdmin michael.r467@gmail.com
-     SSLEngine on
-     SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
-     SSLProtocol All -SSLv2 -SSLv3
-     Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
-     SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem
-     SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem
-     SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem
-     ProxyPass / http://192.168.1.23:3000/
-     ProxyPassReverse / http://192.168.1.23:3000/
-     <Proxy http://192.168.1.23:3000/>
-             Order deny,allow
-             Allow from all
-     </Proxy>
-</VirtualHost>
-<VirtualHost *:443>
- ServerName stream.blackgate.org
- #
-     ServerAdmin michael.r467@gmail.com
-     Options -Includes -ExecCGI
-     LimitRequestBody 512000
-     SSLEngine on
-     SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
-     SSLProtocol All -SSLv2 -SSLv3 +TLSv1.2
-     Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
-     Header always set X-Frame-Options DENY
-     FileETag None
-     TraceEnable off
-     Header set X-XSS-Protection "1; mode=block"
-     Timeout 60
-     SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem
-     SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem
-     SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem
-     <Location /:/websockets/notifications>
-        ProxyPass wss://192.168.1.23:32400/:/websockets/notifications
-        ProxyPassReverse wss://192.168.1.23:32400/:/websockets/notifications
-     </Location>
-     <Proxy *>
-        Order deny,allow
-        Allow from all
-     </Proxy>
-     ProxyRequests Off
      ProxyPreserveHost On
-     SSLProxyEngine On
-     RequestHeader set Front-End-Https "On"
-     ProxyPass / http://192.168.1.23:32400/
-     ProxyPassReverse / http://192.168.1.23:32400/
-</VirtualHost>
-#------------------------------------------------------------------------------------------------
-#                                       CLOUD SERVICES
-#------------------------------------------------------------------------------------------------
-<VirtualHost *:443>
- ServerName cloud.blackgate.org
- #
-     ServerAdmin michael.r467@gmail.com
-     SSLEngine on
-     SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
-     SSLProtocol All -SSLv2 -SSLv3
-     Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
-     SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem
-     SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem
-     SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem
      ProxyPass /error_docs !
      ErrorDocument 503 /error_docs/ServiceUnavailable.html
-     ProxyPass / http://192.168.1.24/ retry=1 acquire=3000 Timeout=5400 Keepalive=On
+     ProxyPass / http://192.168.1.24/ retry=1 acquire=3000 Timeout=5400 Keepalive=On flushpackets=On
      ProxyPassReverse / http://192.168.1.24/
      <Proxy http://192.168.1.24/>
              Order deny,allow
@@ Line 467: / Line 261: @@
      </Proxy>
 </VirtualHost>
 <VirtualHost *:443>
- ServerName office.blackgate.org:443
+ ServerName wiki.example.com
  #
-     ServerAdmin michael.r467@gmail.com
+     ServerAdmin ${blackgate_serveradmin}
      SSLEngine on
-     SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+     SSLCertificateFile ${blackgate_ssl_path}/cert.pem
+     SSLCertificateKeyFile ${blackgate_ssl_path}/privkey.pem
-     SSLHonorCipherOrder on
+     SSLCertificateChainFile ${blackgate_ssl_path}/chain.pem
-     SSLProtocol All -SSLv2 -SSLv3
-     Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
+     ProxyPass /error_docs !
-     SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem
+     ErrorDocument 503 /error_docs/ServiceUnavailable.html
-     SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem
-     SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem
-     # Encode Slashes
-     AllowEncodedSlashes On
-     # No SSL-Cert validation!
-     SSLProxyEngine On
-     SSLProxyVerify None
-     SSLProxyCheckPeerCN off
-     SSLProxyCheckPeerName off
-     # keep host name
-     ProxyPreserveHost On
-     ProxyPass           / https://192.168.1.24:9980/
-     ProxyPassReverse    / https://192.168.1.24:9980/
-     # static html, js, images, etc. served from loolwsd
-     # loleaflet is the client part of LibreOffice Online
-     ProxyPass           /loleaflet https://192.168.1.24:9980/loleaflet retry=0
-     ProxyPassReverse    /loleaflet https://192.168.1.24:9980/loleaflet
-     # WOPI discovery URL
-     ProxyPass           /hosting/discovery https://192.168.1.24:9980/hosting/discovery retry=0
-     ProxyPassReverse    /hosting/discovery https://192.168.1.24:9980/hosting/discovery
-     # Main websocket
-     ProxyPassMatch "/lool/(.*)/ws$" wss://192.168.1.24:9980/lool/$1/ws
-     # Admin Console websocket
-     ProxyPass   /lool/adminws wss://192.168.1.24:9980/lool/adminws
-     # Download as, Fullscreen presentation and Image upload operations
-     ProxyPass           /lool https://192.168.1.24:9980/lool
-     ProxyPassReverse    /lool https://192.168.1.24:9980/lool
-</VirtualHost>
-<VirtualHost *:443>
- ServerName ucloud.blackgate.org
- #
-     ServerAdmin michael.r467@gmail.com
-     SSLEngine on
-     SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
-     SSLProtocol All -SSLv2 -SSLv3
-     Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
-     SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem
-     SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem
-     SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem
-     ProxyPass / http://192.168.1.12/ retry=1 acquire=3000 Timeout=5400 Keepalive=On
-     ProxyPassReverse / http://192.168.1.12/
-     <Proxy http://192.168.1.12/>
-             Order deny,allow
-             Allow from all
-     </Proxy>
-</VirtualHost>
-#------------------------------------------------------------------------------------------------
-#                                       OTHER SERVICES
-#------------------------------------------------------------------------------------------------
-<VirtualHost *:443>
- ServerName xxx.blackgate.org
- #
-     ServerAdmin michael.r467@gmail.com
-     SSLEngine on
-     SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
-     SSLProtocol All -SSLv2 -SSLv3
-     Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
-     SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem
-     SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem
-     SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem
-     ProxyPass / http://192.168.1.14/ retry=1 acquire=3000 Timeout=7200 Keepalive=On flushpackets=On
-     ProxyPassReverse / http://192.168.1.14/
-     <Proxy http://192.168.1.14/>
-             Order deny,allow
-             Allow from all
-     </Proxy>
-</VirtualHost>
-<VirtualHost *:443>
- ServerName index.blackgate.org
- #
-     ServerAdmin michael.r467@gmail.com
-     SSLEngine on
-     SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
-     SSLProtocol All -SSLv2 -SSLv3
-     Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
-     SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem
-     SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem
-     SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem
-     ProxyPass / http://192.168.1.7/
-     ProxyPassReverse / http://192.168.1.7/
-</VirtualHost>
-<VirtualHost *:443>
- ServerName wiki.blackgate.org
- #
-     ServerAdmin michael.r467@gmail.com
-     SSLEngine on
-     SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
-     SSLProtocol All -SSLv2 -SSLv3
-     Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
-     SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem
-     SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem
-     SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem
      ProxyPass / http://192.168.1.10/
      ProxyPassReverse / http://192.168.1.10/
+     ProxyPreserveHost On
      <Proxy http://192.168.1.10/>
-             Order deny,allow
+          Require all granted
-             Allow from all
      </Proxy>
 </VirtualHost>
 <VirtualHost *:443>
- ServerName test.blackgate.org
+ ServerName test.example.com
  #
-     ServerAdmin michael.r467@gmail.com
+     ServerAdmin ${blackgate_serveradmin}
      SSLEngine on
-     SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+     SSLCertificateFile ${blackgate_ssl_path}/cert.pem
-     SSLProtocol All -SSLv2 -SSLv3
+     SSLCertificateKeyFile ${blackgate_ssl_path}/privkey.pem
-     Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
+     SSLCertificateChainFile ${blackgate_ssl_path}/chain.pem
-     SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem
-     SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem
+     ProxyPass / http://192.168.1.15/ retry=1 acquire=3000 Timeout=7200 Keepalive=On flushpackets=On
-     SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem
+     ProxyPassReverse / http://192.168.1.15/
-     ProxyPass / http://192.168.1.26/
-     ProxyPassReverse / http://192.168.1.26/
+     <Proxy http://192.168.1.15/>
-</VirtualHost>
-<VirtualHost *:443>
- ServerName demo.blackgate.org
- #
-     ServerAdmin michael.r467@gmail.com
-     SSLEngine on
-     SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
-     SSLProtocol All -SSLv2 -SSLv3
-     Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
-     SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem
-     SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem
-     SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem
-     ProxyPass / http://google.ch/
-     ProxyPassReverse / http://google.ch/
-     <Proxy *>
              Order deny,allow
              Allow from all
      </Proxy>
+     #ProxyPassReverseCookiePath /guacamole /
 </VirtualHost>
 #<VirtualHost *:443>
-#     ServerAlias *.blackgate.org
+#     ServerAlias *.example.com
 #     SSLEngine on
 #     SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
@@ Line 635: / Line 314: @@
 #     SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem
 #     RewriteEngine On
-#     Redirect 301 / https://www.blackgate.org
+#     Redirect 301 / https://www.example.com
 #</VirtualHost>
 </IfModule>
 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
@@ Line 646: / Line 325: @@
 ----
-=== proxy_https_plexdash.conf: ===
-<code>
-# vim proxy_https_plexdash.conf
-</code>
-<sxh bash; first-line: 1>
-#------------------------------------------------------------------------------------------------
-#                                       MAIN SERVICES
-#------------------------------------------------------------------------------------------------
-<VirtualHost *:443>
- ServerName www.plexdash.com
- #
-     ServerAdmin michael.r467@gmail.com
-     SSLEngine on
-     SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
-     SSLProtocol All -SSLv2 -SSLv3
-     Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
-     SSLCertificateFile /etc/letsencrypt/live/plexdash.com/cert.pem
-     SSLCertificateKeyFile /etc/letsencrypt/live/plexdash.com/privkey.pem
-     SSLCertificateChainFile /etc/letsencrypt/live/plexdash.com/chain.pem
-     ProxyPass /error_docs !
-     ErrorDocument 503 /error_docs/ServiceUnavailable.html
-     ProxyPass          / http://192.168.1.22/
-     ProxyPassReverse   / http://192.168.1.22/
-     <Proxy http://192.168.1.22/>
-             Order deny,allow
-             Allow from all
-     </Proxy>
-</VirtualHost>
-<VirtualHost *:443>
- ServerName demo.plexdash.com
- #
-     ServerAdmin michael.r467@gmail.com
-     SSLEngine on
-     SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
-     SSLProtocol All -SSLv2 -SSLv3
-     Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
-     SSLCertificateFile /etc/letsencrypt/live/plexdash.com/cert.pem
-     SSLCertificateKeyFile /etc/letsencrypt/live/plexdash.com/privkey.pem
-     SSLCertificateChainFile /etc/letsencrypt/live/plexdash.com/chain.pem
-     ProxyPass /error_docs !
-     ErrorDocument 503 /error_docs/ServiceUnavailable.html
-     ProxyPass          /netdata http://192.168.1.23:19999/
-     ProxyPassReverse   /netdata http://192.168.1.23:19999/
-     ProxyPass          / http://192.168.1.22/_pD-demo/
-     ProxyPassReverse   / http://192.168.1.22/_pD-demo/
-     <Proxy http://192.168.1.23:19999/>
-             Order deny,allow
-             Allow from all
-     </Proxy>
-     <Proxy http://192.168.1.22/>
-             Order deny,allow
-             Allow from all
-     </Proxy>
-</VirtualHost>
-<VirtualHost *:443>
- ServerName dev.plexdash.com
- #
-     ServerAdmin michael.r467@gmail.com
-     SSLEngine on
-     SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
-     SSLProtocol All -SSLv2 -SSLv3
-     Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
-     SSLCertificateFile /etc/letsencrypt/live/plexdash.com/cert.pem
-     SSLCertificateKeyFile /etc/letsencrypt/live/plexdash.com/privkey.pem
-     SSLCertificateChainFile /etc/letsencrypt/live/plexdash.com/chain.pem
-     ProxyPass /error_docs !
-     ErrorDocument 503 /error_docs/ServiceUnavailable.html
-     ProxyPass          /netdata http://192.168.1.23:19999/
-     ProxyPassReverse   /netdata http://192.168.1.23:19999/
-     ProxyPass          / http://192.168.1.22/_pD-dev/
-     ProxyPassReverse   / http://192.168.1.22/_pD-dev/
-     <Proxy http://192.168.1.23:19999/>
-             Order deny,allow
-             Allow from all
-     </Proxy>
-     <Proxy http://192.168.1.22/>
-             Order deny,allow
-             Allow from all
-     </Proxy>
-</VirtualHost>
-<VirtualHost *:443>
- ServerName get.plexdash.com
- #
-     ServerAdmin michael.r467@gmail.com
-     SSLEngine on
-     SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
-     SSLProtocol All -SSLv2 -SSLv3
-     Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
-     SSLCertificateFile /etc/letsencrypt/live/plexdash.com/cert.pem
-     SSLCertificateKeyFile /etc/letsencrypt/live/plexdash.com/privkey.pem
-     SSLCertificateChainFile /etc/letsencrypt/live/plexdash.com/chain.pem
-     ProxyPass /error_docs !
-     ErrorDocument 503 /error_docs/ServiceUnavailable.html
-     ProxyPass          / http://192.168.1.22/_buy/
-     ProxyPassReverse   / http://192.168.1.22/_buy/
-     <Proxy http://192.168.1.22/>
-             Order deny,allow
-             Allow from all
-     </Proxy>
-</VirtualHost>
-</sxh>
-----
 === letsencript_dummy.conf: ===
@@ Line 776: / Line 332: @@
 </code>
-<sxh bash; first-line: 1>
+<sxh bash; first-line: 1; highlight: [2,4,6-12]>
 <VirtualHost *:80>
- ServerName blackgate.org
+ ServerName example.com
  #
-     ServerAdmin michael.r467@gmail.com
+     ServerAdmin admin@example.com
-     ServerAlias www.blackgate.org
+     ServerAlias www.example.com
-     ServerAlias su-login.blackgate.org
-     ServerAlias serv.blackgate.org
+     ServerAlias piwik.example.com
-     ServerAlias piwik.blackgate.org
+     ServerAlias cloud.example.com
-     ServerAlias plexpy.blackgate.org
-     ServerAlias plexdash.blackgate.org
-     ServerAlias emby.blackgate.org
-     ServerAlias stream.blackgate.org
-     ServerAlias request.blackgate.org
-     ServerAlias cloud.blackgate.org
-     ServerAlias office.blackgate.org
-     ServerAlias ucloud.blackgate.org
-     ServerAlias wiki.blackgate.org
+     ServerAlias wiki.example.com
-     ServerAlias index.blackgate.org
+     ServerAlias test.example.com
-     ServerAlias xxx.blackgate.org
-     ServerAlias test.blackgate.org
    DocumentRoot /var/www/html
@@ Line 833: / Line 377: @@
 <code>
-# ./letsencrypt-auto certonly --rsa-key-size 4096 -d blackgate.org -d xxx.blackgate.org -d cloud.blackgate.org -d su-login.blackgate.org -d plexpy.blackgate.org -d wiki.blackgate.org -d serv.blackgate.org -d www.blackgate.org -d stream.blackgate.org -d emby.blackgate.org -d request.blackgate.org -d index.blackgate.org -d ucloud.blackgate.org -d piwik.blackgate.org -d plexdash.blackgate.org -d test.blackgate.org
+# ./letsencrypt-auto certonly --rsa-key-size 4096 -d example.com -d www.example.com -d piwik.example.com -d cloud.example.com -d wiki.example.com -d test.example.com
 </code>
@@ Line 877: / Line 421: @@
 # a2dissite letsencript_dummy.conf
-# a2ensite blackgate.org.conf
+# a2ensite EXAMPLE.COM.conf
 # a2ensite proxy_http.conf
-# a2ensite proxy_https_blackgate.conf
+# a2ensite proxy_https.conf
 </code>
@@ Line 979: / Line 523: @@
   - Zum letsencript Binary wechseln und den letzten certonly Befehl //(Suchen mit CTRL + R)// mit der am Schluss neu angehängter Domain z.B. "**-d NEU-SUBDOM.DOMAIN.COM**" ausführen. <code>
 # cd /opt/letsencrypt/
-# ./letsencrypt-auto certonly --rsa-key-size 4096 -d blackgate.org -d xxx.blackgate.org -d cloud.blackgate.org -d su-login.blackgate.org -d plexpy.blackgate.org -d wiki.blackgate.org -d serv.blackgate.org -d www.blackgate.org -d stream.blackgate.org -d emby.blackgate.org -d request.blackgate.org -d index.blackgate.org -d ucloud.blackgate.org -d proxy.blackgate.org -d plexdash.blackgate.org -d test.blackgate.org -d piwik.blackgate.org
+# ./letsencrypt-auto certonly --rsa-key-size 4096 -d example.com -d www.example.com -d piwik.example.com -d cloud.example.com -d wiki.example.com -d test.example.com -d new1.example.com -d new2.example.com
 </code>
   - Zum Schluss muss noch der Apache Service neu geladen werden, damit das neue Zertifikat angezogen wird. <code>