As CentOS 7 is getting to the end of it’s live it’s time to start thinking about an upgrade.
On my old server I tried LEAPP a couple of times (on a clone, of course), but success was not really guaranteed. So, a complete reinstall is in order.
But, as I move from CentOS 7 to Rocky Linux 9, this automatically means
some packages are no longer available. I was using sslh to connect
though SSH and HTTPS on port 443.
I was left with a couple of options:
-
Compile
sslhfrom scratch and use that.
This is a possibility, but it will involve a lot of extra maintenance to keep up to date -
Rumour says: This is also possible with nginx
As I was already planning on the move from Apache to nginx, this would be worth the investigation.
As it turns out, this is rather simple. First install the
nginx-mod-stream package, to enable the streaming functionality.
In the /etc/nginx/nginx.conf configure the stream, where the SSH and
HTTPS streams are separated.
/etc/nginx/nginx.conf file# Split SSH and HTTPS streams
stream {
resolver 127.0.0.1 [::1] valid=30s;
upstream ssh {
server 127.0.0.1:22;
}
upstream web {
server 127.0.0.1:443;
}
map $ssl_preread_server_name $name {
tonkersten.com web;
www.tonkersten.com web;
default web;
}
map $ssl_preread_protocol $upstream {
default ssh;
"TLSv1.3" $name;
"TLSv1.2" $name;
"TLSv1.1" $name;
"TLSv1.0" $name;
}
# SSH and SSL on the same port
server {
listen <your IP address>:443; ⇐ (1)
proxy_pass $upstream;
ssl_preread on;
}
}-
Do not specify
0.0.0.0or[::1]here
server {
listen 80;
server_name www.tonkersten.com;
return 301 https://$host:443$request_uri;
}
server {
listen 127.0.0.1:443 ssl; ⇐ (1)
server_name www.tonkersten.com;
ssl_certificate /etc/letsencrypt/live/tonk.nl/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tonk.nl/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
root /home/data/vhosts/tonkersten/html;
index index.html;
}-
The vhost listens only on localhost