Page MenuHomePhabricator
Paste P2023

Alternate File Domain, plus Let's Encrypt

Authored by lewellyn on Dec 11 2016, 5:50 AM.
Referenced Files
F2104179: Alternate File Domain, plus Let's Encrypt
Dec 11 2016, 5:50 AM
F2104164: Alternate File Domain, plus Let's Encrypt
Dec 11 2016, 5:50 AM
(Skim the Notes at the bottom before starting.)
=== Prerequisites & Assumptions ===
* You want secure transport
* You don't want to buy an SSL certificate
* You don't want to let Let's Encrypt touch your server configurations you've lovingly crafted
* You are quite well-learned about TLS and you're unlikely to misconfigure your security
* Your Phabricator is at ``
* Your second ("alternate file domain") hostname is ``
* Your second hostname is hosted by same web server as the first
* You have already configured DNS for both hostnames (if not, stop now and do it, so there's time for it to propagate... I'll still be here when you get back)
* You're running Apache (If you're using Nginx or Lighty, I'll assume you're clueful enough to take these directions and modify them)
* You're using Ubuntu 16.04 (old-LTS doesn't exist to me, and for anything else there's where you can select "None of the above" on whatever you're running)
=== Configure Apache, Part Uno ===
Modify your configuration for your insecure (port 80) Phabricator VirtualHost to have an updated set of rewrite stuff:
```RewriteEngine on
# Don't redirect Let's Encrypt requests
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge
# But everything else goes to Phabricator
RewriteRule ^(.*)$ /index.php?__path__=$1 [B,L,QSA]```
Then, restart Apache:
`# systemctl restart apache2`
=== Configure Let's Encrypt ===
(**Note:** If you don't want to generate a certificate that also will work on your FQDN, leave off the first `-w /path/to/webroot` and `-d $(hostname -f)`. Also, the first webroot is the one your web server defaults to.)
```# apt install letsencrypt
# letsencrypt certonly --webroot -w /var/www/html -d $(hostname -f) -w /home/phabricator/src/phabricator/webroot -d -d
# echo "#!/bin/sh\n/usr/bin/letsencrypt renew --agree-tos >/dev/null" >> /etc/cron.daily/letsencrypt
# chmod +x /etc/cron.daily/letsencrypt```
You should be able to run `certonly` without error, if you set up everything prior just right. And be sure to check the cronjob to make sure it actually works.
=== Configure Apache, Part Deux ===
Now, in your insecure Phabricator VirtualHost, comment out this line:
`RewriteRule ^(.*)$ /index.php?__path__=$1 [B,L,QSA]`
**Immediately** after that line, add this line:
`RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]`
Now add a secure VirtualHost (port 443) for Phabricator:
* Configure the `ServerName`, `ServerAlias`, `DocumentRoot`, the various log directives, headers, etc. the same as your insecure VirtualHost
* Make sure your rewrites are set up exactly how they were for your insecure host ***before*** you started this escapade
* Set `SSLCertificateFile` to the `fullchain.pem` in `/etc/letsencrypt/live/` (See note below for Apache < 2.4.8)
* Set `SSLCertificateKeyFile` to the `privkey.pem` in the same directory
* Set `SSLUseStapling on` along with the other stapling options
=== Make it all Work ===
`# systemctl restart apache2`
```phabricator$ bin/config set phabricator.base-uri
phabricator$ bin/config set security.alternate-file-domain
phabricator$ bin/config set security.require-https true```
Seriously, that should be all you need now to make your Phabricator available over SSL.
=== Notes ===
If you don't have tons of experience with TLS, you really want to let Let's Encrypt modify your webserver configurations for you. But that's a different document, not this one. I'll write it if someone asks.
I haven't yet taken the time to care about HPKP with Let's Encrypt. But it's probably pretty easy.
If you're using Apache older than 2.4.8 (which you probably shouldn't be), use `SSLCertificateFile` with `cert.pem` and `SSLCertificateChainFile` with `chain.pem`.
You probably want to evaluate for yourself whether you want to allow `/.well-known/acme-challenge` or all of `/.well-known` to pass through the redirection to Phabricator. This document takes the conservative approach, but I can only assume `/.well-known` will start becoming more commonplace sooner or later.
The Phabricator book says:
> The alternate file domain should be a completely different domain from your primary domain, not just a different subdomain.
This is, indeed, a great idea. But if you aren't going to spend money on an SSL certificate, I doubt you'll spend money on another domain. But, then again, maybe CloudFlare will work for you?
Be sure to run the gamut of tests to make sure your configuration is sane after you're done. Make sure browsers aren't giving errors, that you're getting yourself an A+ on SSL Labs, etc. Then be sure to congratulate yourself on a job well done.

Event Timeline

lewellyn edited the content of this paste. (Show Details)