My idea is as follows:
- Several tools would like to be hosted under a seperate domain name. For example https://lizenzhinweisgenerator.de (T120946) and wikispy (T97846)
- The current solution is providing a seperate IP to these tools, and have them set up their own webserver.
- The current solution also requires volunteers to fiddle with SSL/letsencrypt.
- We already have infrastructure to route requests (either by domain for the labsproxy, or by path for the tools proxy), but it currently does not support arbitrary domains
What I would like:
- a puppet class which instantiates an nginx virtualhost for a domain, and which automatically organizes a letsencrypt ssl certificate for that domain.
What I've tested:
- SNI in nginx is super easy. https://www.digitalocean.com/community/tutorials/how-to-set-up-multiple-ssl-certificates-on-one-ip-with-nginx-on-ubuntu-12-04 basically describes the process.
What I still needs to figure out:
- Letsencrypt + letsencrypt automation
- Certificate management. How do we make sure both proxies have access to the certificates? Do we need to (maybe we can run letsencrypt on both hosts)?
- Revocation of certificates?
- How to link the new virtualhost into the existing proxy machinery. A simple rewrite statement is probably enough.