10

default-ssl.conf is quite self-explanatory. I assume it's for default values that would be used when no vhost or other config overrides it.

But what exactly is 000-default-le-ssl.conf file? Why is it named the way it is? What's with the triple zeros in front? How is it different/should be used differently from default-ssl.conf? How should either/both be used?

Regardless of which conf file I am finding very few default values I can use. With multiple domains I can't really use ServerName/ServerAlias and since each domain has it's own directory/port I can't use default DocumentRoot/Proxy either. In my case I have ssl certs generated for each domain so can't use default values there either. Even ServerAdmin could be different for each domain. Based on this use case should I just leave it almost blank or am I missing something? What is the best practice in this scenario?

I am running latest Apache Server on Ubuntu 18.04.

DominicM
  • 251

3 Answers3

6

The 0s at the front of the file name simply force an order when a directory is scanned and the results are processed one by one.

With apache, the first virtual host read/processed is the one clients are sent to if they connect requesting a host name that your server isn't configured to serve up.

The default-le configuration sounds as if it is the one that LetsEncrypt might use for authentication/confirmation, but this is simply a wild guess based on the presence of le in the filename. To know for sure you should examine the contents, and post if you have questions.

As to defaults, etc. you can share just about all of the configuration information, or at least the parent directories of file paths, etc.

Here's a template I use, replace DOMAIN and YOURIP as appropriate.

<VirtualHost *:80>
  ServerName DOMAIN
  ServerAlias www.DOMAIN
  RewriteEngine on
  RewriteRule ^/(.*)$ https://www.DOMAIN/$1 [R,L]
</VirtualHost>
<VirtualHost YOURIP:443>
    ServerName DOMAIN
    ServerAlias www.DOMAIN
    ServerAdmin webmaster@DOMAIN
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/DOMAIN/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/DOMAIN/privkey.pem
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    CustomLog ${APACHE_LOG_DIR}/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    DocumentRoot /var/www-DOMAIN
    <directory /var/www-DOMAIN>
        Options All
                AllowOverride All
                Require all granted
    </directory>
    ErrorLog ${APACHE_LOG_DIR}/ssl-DOMAIN-error.log
    CustomLog ${APACHE_LOG_DIR}/ssl-DOMAIN-access.log combined
</VirtualHost>
ivanivan
  • 1,548
0

Quick answer: You are seeing two things happening here --

TLDR1: "Why 000-sitename.conf?" and not "sitename.conf?" The former is usually just a symlink to the first, which you can tell with ls -alh and checking for the l modifier on the file permissions.

TLDR2: "Why sitename.conf versus sitename-le-ssl.conf?" The former handles HTTP validation (the portname indicated in the file is 80), and the latter handles HTTPS validation (the portname indicated in the file is 443).

HoldOffHunger
  • 201
0

But what exactly is 000-default-le-ssl.conf file? Why is it named the way it is? What's with the triple zeros in front?

As other have mentioned, adding numbers in front is a usual way of enforcing a certain order for e.g. config files. This makes this file to be loaded pretty early on.

How is it different/should be used differently from default-ssl.conf? How should either/both be used?

  • default-ssl.conf This is Apache's template for a server with SSL configured. It has a lot of explanations for the most usual options. You may use this as a base for your own configuration.
  • 000-default-le-ssl.conf This is generated automatically by Let's Encrypt's certbot command. It has some specific settings, for example the paths to the certificate files are set correctly already. Use this as a base for your configuration if you wish to use your generated Let's Encrypt certificates.

Of course you may mix options from both files as you wish, but make sure you understand the meanings of the options. You can find documentation for Apache's SSL options online.

With multiple domains I can't really use ServerName/ServerAlias

Just add multiple VirtualHost sections:

<VirtualHost *:443>
  ServerName firstdomain.example.com

more options for your 1st domain


</VirtualHost>


<VirtualHost *:443>
  ServerName seconfdomain.example.com


more options for your 2nd domain


</VirtualHost>
quazgar
  • 511
  • 1
  • 6
  • 8