New setup! When visiting the site from the web, you’re no longer being redirected to port 1966. Instead, Apache now acts as a reverse proxy.

The following config requests new certificates from Let’s Encrypt automatically thanks to mod_md.

HTTP requests are redirect to HTTPS. HTTPS requests for “/.well-known” URLs are left untouched for the Let’s Encrypt renewal to work. All other HTTPS requests are proxied to the old port 1966.

As each port can only be listened for by a single service and Apache is already listening on ports 80 and 443, I still need this one. Importantly, however, port 1966 is now HTTP only.

MDomain transjovian.org vault.transjovian.org toki.transjovian.org xn--vxagggm5c.transjovian.org archive.transjovian.org
MDCertificateAgreement accepted

<VirtualHost *:80>
    ServerName transjovian.org
    ServerAlias vault.transjovian.org toki.transjovian.org xn--vxagggm5c.transjovian.org
    RewriteEngine on
    RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [redirect]
</VirtualHost>
<VirtualHost *:443>
    ServerAdmin alex@alexschroeder.ch
    ServerName transjovian.org
    ServerAlias vault.transjovian.org toki.transjovian.org xn--vxagggm5c.transjovian.org

    RewriteEngine on
    # Do not redirect /.well-known URL
    RewriteCond %{REQUEST_URI} !^/\.well-known/
    RewriteRule ^/(.*) http://%{HTTP_HOST}:1966/$1 [proxy]

    DocumentRoot /home/alex/transjovian.org
    <Directory /home/alex/transjovian.org>
        Options Indexes MultiViews SymLinksIfOwnerMatch
        AllowOverride All
        Require all granted
    </Directory>

    Include conf-enabled/blocklist.conf
    SSLEngine on
</VirtualHost>

The Phoebe service definition indicates that the Transjovian Council hostnames on port 1966 are served with no certificates (i.e. HTTP instead of HTTPS) using the “--no_cert” argument.

[Unit]
Description=Phoebe
After=network.target
[Install]
WantedBy=multi-user.target
[Service]
Type=simple
WorkingDirectory=/home/alex/farm
Restart=always
User=alex
Group=ssl-cert
MemoryMax=100M
MemoryHigh=90M
Environment="PERL5LIB=/home/alex/perl5/perlbrew/perls/perl-5.32.0/lib"
ExecStart=/home/alex/perl5/perlbrew/perls/perl-5.32.0/bin/perl \
 /home/alex/perl5/perlbrew/perls/perl-5.32.0/bin/phoebe \
 --wiki_dir=/home/alex/phoebe \
 --log_level=info \
 --port=1966 \
 --host=transjovian.org \
 --host=toki.transjovian.org \
 --host=xn--vxagggm5c.transjovian.org \
 --host=vault.transjovian.org \
 --no_cert \
 --port=1965 \
 --host=transjovian.org \
 --host=toki.transjovian.org \
 --host=xn--vxagggm5c.transjovian.org \
 --host=vault.transjovian.org \
 --host=communitywiki.org \
 --host=alexschroeder.ch \
 --host=next.oddmuse.org \
 --host=emacswiki.org \
 --host=campaignwiki.org \
 --cert_file=/home/alex/farm/cert.pem \
 --key_file=/home/alex/farm/key.pem \
 --wiki_main_page=Welcome \
 --wiki_page=About \
 --wiki_mime_type=image/png \
 --wiki_mime_type=image/jpeg \
 --wiki_mime_type=audio/mpeg \
 --wiki_mime_type=video/webm \
 --wiki_space=transjovian.org/test \
 --wiki_space=transjovian.org/phoebe \
 --wiki_space=transjovian.org/anthe \
 --wiki_space=transjovian.org/gemini \
 --wiki_space=transjovian.org/titan \
 --wiki_space=transjovian.org/ijiraq \
 --wiki_space=transjovian.org/elpher \
 --wiki_space=transjovian.org/hyperion