Multidomains on Linux 2023 – Amazon AWS
Multidomains on Linux 2023 – Amazon AWS
EC2 Menu
EC2 Menu
Configure Multidomains on Linux 2023
Remember that DNS records are either for the paid certificate, or lets encrypt.
Let’s encrypt uses:
CAA 0 issue “letsencrypt.org”. Another provider likely will not want the double quotation marks.
Comodo uses: CAA 0 issue “sectigo.org”.
If creating a subdomain in Amazon Route53:
Create a new hosted zone In your DNS records for the subdomain’s name, e.g. app.mydomain.com and point the A record to the IP address of the primary. (Some articles suggest using a CNAME, but don’t.) Add your CAA record, and a CNAME record for www.app.mydomain.com.
Please see my article on Let’s Encrypt certbot certificates if using them. Otherwise, we use a per-purchased and verified SSL installed in ssl.conf under /etc/pki/tls/certs and /etc/pki/tls/private. e.g. mydomain_com.crt (edited to include the bundle, and no root certificate as SSLLABS will identify this as a mistake) and mydomain_com.key.
We will edit /etc/httpd/conf/httpd.conf and /etc/httpd/conf.d/ssl.conf. One may have several domains, such as example.com and mydomain.com and so forth.
In all examples, be careful to use your owm domain name and nominated root directory.
e.g., a subdirectory for your second domain name example.com could be under /var/www/example.com. There would be the ONE static IP address for the whole instance, and the domains all using their own A record to that one IP address. Note: you cannot add multiple domains to services using cPanel. They will only configure subdomains.
Edit /etc/httpd/conf/httpd.conf as follows:
# Append these to the end of the file, using your own modifications
cd /etc/httpd/conf
vi httpd.conf
ServerName example.com
AllowOverride none
Require all denied
DocumentRoot "/var/www/example.com"
<Directory "/var/www">
AllowOverride None
# Allow open access:
Require all granted
<Directory "/var/www/example.com">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
DirectoryIndex index.php index.html
<Files ".ht*">
Require all denied
ErrorLog "logs/example.com_error_log"
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
CustomLog "logs/access_log" combined
TypesConfig /etc/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
AddDefaultCharset UTF-8
MIMEMagicFile conf/magic
EnableSendfile on
IncludeOptional example.com.conf.d/*.conf
[save and exit]
I did not see any need to have other generic .conf files loaded, but if needed, it would go in this stanza similar to the normal stanza for the primary domain.
Now edit the /etc/httpd/conf.d/ssl.conf file as follows. Add this stanza (and any others) immediately below the primary domain name section at the top of the file. I used typical SSL filenaming from Comodo store and in this case not using certbot. You could experiment with that.
cd /etc/httpd/conf.d
vi ssl.conf
ServerName example.com
Redirect permanent / https://example.com/
RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
# Then, append to this same file at the bottom:
ServerName example.com:443
DocumentRoot /var/www/example.com
Options None FollowSymLinks
AllowOverride All
Require all granted
ErrorLog logs/ssl_error_log
TransferLog logs/example.com_ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
SSLProxyProtocol -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLProxyCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
SSLCompression off
SSLInsecureRenegotiation Off
SSLSessionTickets Off
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves secp384r1
SSLCertificateFile /etc/pki/tls/certs/example_com.crt
SSLCertificateKeyFile /etc/pki/tls/private/example_com.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/snotbat.com_ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
[save and exit]
That’s it! Restart with systemctl restart httpd.
You will have configured your secondary error log names accordingly in the configs above for /etc/httpd/logs
While testing your multidomains, you could have a simple index.html file with apache ownership and 644 permissions. If using certbot, the http and https ports must be open to the world. If testing a paid SSL certificate, you can of course stop httpd and restart it after the configs are done.
