Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I couldn't find anything related to BOA best practice regarding enabling SSL to specific existing managed aegir sites. Although I did read something on devseed about mysite.drush.inc overrides in the /var/aegir/.drush folder some specifics weren't that clear and hence I couldn't get it to work on BOA. The requirement has only just come up so wanting to get a permanent solution in place before enabling more.
Any assistance is greatly appreciated.
Comments
Comment #1
omega8cc CreditAttribution: omega8cc commentedhttp://drupalcode.org/project/barracuda.git/blob/HEAD:/docs/SSL.txt
Comment #2
snlnz CreditAttribution: snlnz commentedThanks for your reply.
How about, in the situation where multiple aegir sites share the same IP and need self signed certs? I'm sure it's a matter of playing round with the config files but it seems a bit backward from what aegir was built upon. Is that best practice for enabling self signed ssl on aegir sites?
Say we have two or more sites running off the aegir instance that we want using ssl, self signed certs and same ip.
Later down the track we want to add additional sites with their own appropriate certificates more than likely on the same ip?
I thought I recall Aegir having the ability to generate self signed SSL certs and I was hoping it would be that easy in BOA?
Comment #3
omega8cc CreditAttribution: omega8cc commentedThe problem is: Aegir built-in SSL feature is not (yet) designed to support available in Nginx (BOA) TLS SNI mode, so you can't use it to enable SSL for more than one (1) site per IP.
Our how-to is a temporary workaround and it will be easy to switch to the Aegir native SSL support when TLS SNI will be supported.
See also: http://en.wikipedia.org/wiki/Server_Name_Indication
Comment #4
snlnz CreditAttribution: snlnz commentedDo we leave the issue open while this feature is not supported?
Comment #5
omega8cc CreditAttribution: omega8cc commentedI'm going to close this because it is not a Barracuda issue.
Barracuda provides a workaround, but the feature request needs to be opened in the Aegir (Hostmaster) queue.
Comment #6
snlnz CreditAttribution: snlnz commentedagreed. I will post an issue on the aegir project.
tx
Comment #7
iub98 CreditAttribution: iub98 commentedIs the procedure to enable SSL for one site on a Aegir install the same as the link you posted above, omega8cc? Or, is there a simpler setup given I only need to enable SSL on one of my BOA sites? Thanks for this wonderful script BTW!
Comment #8
realityloopCould we not add something like this in the vhost for the site in question by haveing an include thats outside the existing server block to allow it?
Comment #9
realitylooppossibly relevant
http://internetdevels.com/blog/using-http-and-https-in-drupal
Comment #10
omega8cc CreditAttribution: omega8cc commented@realityloop -- I'm not sure what exactly do you mean, could you elaborate? By the way, the article you have linked is a horrible example of bad Nginx config.
Comment #11
realityloopWhat I'd love to see is the ability to have different ssl certs per site without requiring additional IP's
Comment #12
omega8cc CreditAttribution: omega8cc commentedThen simply use BOA standard SSL how-to and use the same IP address in all
server {}
config containers and define theserver_name
to match the cert domain(s) instead of a wildcard. If you want Aegir SSL feature to support TLS/SNI, I believe there are already issues about it in the Aegir own queue.Note that if you will have only a single IP on the system, you will have to modify or remove the BOA standard SSL wildcard proxy vhost.
~Robert
Comment #13
jvic CreditAttribution: jvic commented@omega8cc which mean that if using ssl it will be using wildcard ssl to support aegir right with only single ip?
so it is not possible to enable 1 site http(80) another https(443) simultaneously right?
does it posible to create 2 aegir the 1st aegir will be http and another will be https ?
sorry for disturb just curious.
Comment #14
timlie CreditAttribution: timlie commentedDoes this work in latest BOA with nginx?:
http://community.aegirproject.org/content/content/administrator/post-ins...
Comment #15
Jeff Veit CreditAttribution: Jeff Veit commentedWell it borked the Boa Nginx installation we tried it on. But it turned out that there were other problems so I can't unambiguously say this was the cause, though it was the trigger.
I did learn when your https goes into a loop, that turning off the aegir ssl modules using drush doesn't help, but that if you create the file
/data/conf/no-https-aegir.inc you can log in via http and fix the problem.
Why don't you try it and report back?