Apache/NGINX with HNS + ICANN Domain

Guides

Posted By Sora On December 17, 2021

How To Configure Apache/NGINX for switching TLS certs by domain name for HNS + ICANN dual name support

First of all we need two separate Certificates because normal Certificate Authorities don't support Handshake(HNS) Domain, and we don't want to trust Certificate Authorities Anyway! We have DANE (For Handshake) which is Decentralized. So for your ICANN Domain you can still use a Let's Encrypt Certificate, but for your HNS Domain you can use a Self-Signed Certificate, Anchored with DANE Follow this step to Setup DANE

BTW Config Time

Apache Config With Macros (mod_macro)

Apache Macros allow you to set up scripted templates to use for hosting all of your websites. Like functions, they can be called with parameters allowing you the flexibility to set up various scenarios for each website.

Since version 2.4.6 of Apache, the macro module comes loaded by default on most linux distributions. To check if your installation of Apache has the macro module loaded, run the following command : 

a2enmod macro

Macro Examples

Here are two examples of macros I created for HTTP and HTTPS

HTTP

Edit 000-default.conf 

<Macro VHostHTTP $host>
<VirtualHost *:$80>
    ServerName $host

    Redirect "/" "https://$host/"
</VirtualHost>
</Macro>

# VHostHTTP	$host
Use VHostHTTP	google.com
Use VHostHTTP	google.hns

HTTPS

Edit default-ssl.conf 

# SSL Cert For ICANN Domain. With Let's Encrypt Certificates.
<Macro IcannSSL>
    SSLCertificateFile /etc/ssl/letsencrypt/certificate.crt
    SSLCertificateKeyFile /etc/ssl/letsencrypt/private.key
</Macro>

# SSL Cert For Handshake Domain. With Self-Sign Certificates.
<Macro HandshakeSSL>
    SSLCertificateFile /etc/ssl/Handshake/certificate.crt
    SSLCertificateKeyFile /etc/ssl/Handshake/private.key
</Macro>

<Macro VHostHTTPS $host $dir $ssl>
<VirtualHost *:443>
    ServerName $host
    DocumentRoot "$dir"

    SSLEngine on
    Use $ssl
</VirtualHost>
</Macro>

# VHostHTTPS	$host		$dir		$ssl
Use VHostHTTPS	google.com	/var/www/google	IcannSSL
Use VHostHTTPS	google.hns	/var/www/google	HandshakeSSL

In each macro, I have passed three parameters. except for HTTP which have one. They are :

  • $host - used to identify the hosted domain name of the VirtualHost
  • $dir - the root directory of the Website serving the VirtualHost, and
  • $ssl - used to identify which SSL cert we want to use in VirtualHost

The takeaway from using macros in your Apache configuration, is not only is it simple to set up, your configuration files become less prone to errors. Macros can be used not only in a development environment, but also in a production environment. How you set up your macros in your Apache configuration files, are only limited by your server configuration and your imagination.

For more info chechout Official Apache Docs

NGINX Config

Edit nginx.conf 

# Redirect HTTP To HTTPS
server {
    listen 80;
    listen [::]:80;
    server_name google.com google.hns;
 
    return 301 https://$host$request_uri;
}

# ICANN Domain with Let's Encrypt Certificates.
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name google.com;

    root /var/www/google;

    ssl_certificate /etc/ssl/letsencrypt/certificate.crt; 
    ssl_certificate_key /etc/ssl/letsencrypt/private.key;
}

# Handshake Domain with Self-Sign Certificates.
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name google.hns;

    root /var/www/google;

    ssl_certificate /etc/ssl/Handshake/certificate.crt; 
    ssl_certificate_key /etc/ssl/Handshake/private.key;
}