Creating Multiple Sub Domains using a Single Cloudflare Tunnel with Apache on Debian

3 weeks ago
benshollis
3 minutes

Apache supports name based virtual-hosts. This means all subdomains can exist on a single virtual machine with a single install of apache. Apache will then decide what site to serve based on the Host Header.

Example Setup

Create separate site configs

/etc/apache2/sites-available/arc.conf
/etc/apache2/sites-available/blog.conf
/etc/apache2/sites-available/images.conf

Example arc conf

<VirtualHost *:80>
    ServerName arc.hollis.fun
    DocumentRoot /var/www/arc

    <Directory /var/www/arc>
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

Example blog conf

<VirtualHost *:80>
    ServerName blog.hollis.fun
    DocumentRoot /var/www/blog

    <Directory /var/www/blog>
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

Then enable them

sudo a2ensite arc.conf
sudo a2ensite blog.conf
sudo systemctl reload apache2

Cloudflare Tunnels/DNS Settings

A single cloudflare tunnel can route multiple subdomains when configured to do so.
First edit the clouflare config

sudo nano /etc/cloudflared/config.yml

Now add the new subdomain

ingress:
  - hostname: arc.hollis.fun
    service: http://localhost:80
  - service: http_status:404

Then restart

sudo systemctl restart cloudflared

Enabling SSL Keys

Cloudflare has a built in way to generate SSL keys to implement into the tunnel.

First login to cloudflare.com and go to SSL/TLS>Origin Server and generate keys

Make a new directory to store the keys

sudo mkdir -p /etc/ssl/cloudflare

Then create the files and paste into them

sudo nano /etc/ssl/cloudflare/origin.pem
sudo nano /etc/ssl/cloudflare/origin.key

Now lock down permissions

sudo chmod 600 /etc/ssl/cloudflare/origin.key
sudo chmod 644 /etc/ssl/cloudflare/origin.pem
sudo chown root:root /etc/ssl/cloudflare/origin.*

Then enable ssl in apache

sudo a2enmod ssl
sudo systemctl restart apache2

Now create a SSL Virtualhost

sudo nano /etc/apache2/sites-available/arc-ssl.conf
<VirtualHost *:443>
    ServerName arc.hollis.fun
    ServerAlias *.hollis.fun

    DocumentRoot /var/www/arc

    SSLEngine on
    SSLCertificateFile /etc/ssl/cloudflare/origin.pem
    SSLCertificateKeyFile /etc/ssl/cloudflare/origin.key

    <Directory /var/www/arc>
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/arc_ssl_error.log
    CustomLog ${APACHE_LOG_DIR}/arc_ssl_access.log combined
</VirtualHost>

Finally enable the site

sudo a2ensite arc-ssl.conf
sudo systemctl reload apache2

Add the Subdomain to DNS in Cloudflare

The tunnel will now route traffic to the correct apache site. Now add the subdomain as a CNAME on the domains records

cloudflared tunnel route dns <tunnel name> <subdomain>.hollis.fun

To see the names of all available tunnels run

cloudflared tunnel list

Disabling/Enable the Default Site

sudo a2dissite 000-default.conf
sudo a2ensite 000-default.conf

This will disable the site in apache. If the DNS still has a record of the site, it will default to the next available site on the same port, 80 or 443. This can lead to odd redirects of non-existing subdomains to other sites running on the same instance of apache. Make sure to disable the site in apache and remove CNAME records from DNS.

Disable the “Index of” page from appearing again

sudo a2dismod autoindex
sudo systemctl reload apache2
Leave a Reply 0

Your email address will not be published. Required fields are marked *