Hello everybody
Virtualmin is, IMHO, the best open-source solution for managing virtual servers.
I currently have a few VPS’s with the same configuration, managing dozens of domains for customers, mainly for wordpress websites: ubuntu 14.04 LAMP with Apache 2.4.7 php-fpm mod_event and Varnish 4.0.1.
It’s a very stable configuraton, allowing all the goodies of apache as an aplication server and varnish as a very fast cache for http connections.
However, the internet world is changing and now https begins to become the standard, specially with chrome 56 already telling visitors that http is unsafe. So https is the way to go.
And (kudos for that), virtualmin already integrates beautifully with LetsEncrypt, allowing SSL certificates for virtual servers in an easy and straightforward way, configuring apache for https. And everything works.
However, when running https, one loses the benefits of varnish, since it doesn’t support secure connections, thus having apache doing all the hard work.
I’ve seen a few workarounds for that, by installing proxies to forward https to varnish in http (nginx, HAProxy, Pound, Squid or Apache).
The most simple way , since it does not require a new piece of software, is to go for apache.
And I found a configuration that does jut that, thanks to DavidBU (see his solution here: http://davidbu.ch/mann/blog/2015-03-20/varnish-and-https-apache.html , it’s quite well explained)
Essentially, one gets a virtual server configuration like this (assuming Varnish is listening to port 80):
#/etc/apache2/sites-available/example.com-ssl
ServerName www.example.com
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:80/
RequestHeader set X-Forwarded-Port "443"
RequestHeader set X-Forwarded-Proto "https"
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/example.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/example.com.key
SSLCertificateChainFile /etc/apache2/ssl/example.com.chain
That would be perfect, but requires to be done manually on each virtual server, since, per present virtualmin configuration, the default https configuration per virtual server is something like this:
SuexecUserGroup xxx xxxxx
ServerName server.domain.tld
… (plus a lot of stuff related to directory indexes, document root, autoconfiguration,awstats and webmin and virtualmin access)…
SSLEngine on
SSLCertificateFile /home/“server”/ssl.cert
SSLCertificateKeyFile /home/“server”/ssl.key
My question is: is it possible to have virtualmin configuring apache as a https proxy and correctly identifying the ssl certificate for each virtual server domain, thus allowing to have https with varnish? If so, where can I change it and prevent it to be overwritten in a virtualmin upgrade?
Thanks in advance and best regards