6

default-ssl.conf is quite self-explanatory. I assume it's for default values that would be used when no vhost or other config overrides it.

But what exactly is 000-default-le-ssl.conf file? Why is it named the way it is? What's with the triple zeros in front? How is it different/should be used differently from default-ssl.conf? How should either/both be used?

Regardless of which conf file I am finding very few default values I can use. With multiple domains I can't really use ServerName/ServerAlias and since each domain has it's own directory/port I can't use default DocumentRoot/Proxy either. In my case I have ssl certs generated for each domain so can't use default values there either. Even ServerAdmin could be different for each domain. Based on this use case should I just leave it almost blank or am I missing something? What is the best practice in this scenario?

I am running latest Apache Server on Ubuntu 18.04.

DominicM
  • 211
  • 3
  • 5
  • 10

1 Answers1

4

The 0s at the front of the file name simply force an order when a directory is scanned and the results are processed one by one.

With apache, the first virtual host read/processed is the one clients are sent to if they connect requesting a host name that your server isn't configured to serve up.

The default-le configuration sounds as if it is the one that LetsEncrypt might use for authentication/confirmation, but this is simply a wild guess based on the presence of le in the filename. To know for sure you should examine the contents, and post if you have questions.

As to defaults, etc. you can share just about all of the configuration information, or at least the parent directories of file paths, etc.

Here's a template I use, replace DOMAIN and YOURIP as appropriate.

<VirtualHost *:80>
  ServerName DOMAIN
  ServerAlias www.DOMAIN
  RewriteEngine on
  RewriteRule ^/(.*)$ https://www.DOMAIN/$1 [R,L]
</VirtualHost>
<VirtualHost YOURIP:443>
    ServerName DOMAIN
    ServerAlias www.DOMAIN
    ServerAdmin webmaster@DOMAIN
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/DOMAIN/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/DOMAIN/privkey.pem
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    CustomLog ${APACHE_LOG_DIR}/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    DocumentRoot /var/www-DOMAIN
    <directory /var/www-DOMAIN>
        Options All
                AllowOverride All
                Require all granted
    </directory>
    ErrorLog ${APACHE_LOG_DIR}/ssl-DOMAIN-error.log
    CustomLog ${APACHE_LOG_DIR}/ssl-DOMAIN-access.log combined
</VirtualHost>
ivanivan
  • 1,448
  • 6
  • 6
  • Regarding the default vhost snippet, wouldn't it cause unhanded error pages to point to this default domain? I mean if you have lets say ecommerce site and personal blog you certainly do not want ecommerce to ever point/redirect to personal blog or even vice-versa, Internal server error is preferred to defaults in this case, that's why I don't see much use of the default file. – DominicM May 15 '19 at 08:26
  • @DominicM . No. If I point `foo.example.com` at your IP, and your server isn't configured to respond to it, it will go to the first vhost processed. This means you'll get SSL errors (if a https site) since certificate and given hostname won't match. Also file not found errors, etc. are possible. But a 404 on a hostname you are configured for will not fall back to the default vhost. – ivanivan May 15 '19 at 12:10
  • Yes, 404 should not be an issue but it is never acceptable to have any content served from another domain/directory. Even if there is a bad apache config it is not acceptable to have any possibility to serve/fallback on a another site/domain/directory. I am having this issue now where for some reason it is falling back to another domain on a certain url, something which is never acceptable even when apache is badly configured due to an error as is likely the case now. – DominicM May 15 '19 at 12:21