Apache/NGINX TLS for HNS/ICANN DNS

December 17, 2021 By UnOrdinary

First of all, we need two separate Certificates because normal Certificate Authorities don't support Handshake (HNS) Domain, and we don't want to trust Certificate Authorities anyway! We have DANE (For Handshake), which is decentralized. So, for your ICANN Domain, you can still use a Let's Encrypt Certificate, but for your HNS Domain, you can use a Self-Signed Certificate anchored with DANE. Follow this step to Setup DANE

BTW Config Time

• Apache Config
• NGINX Config

Apache Config With Macros (mod_macro)

Apache Macros allow you to set up scripted templates to use for hosting all of your websites. Like functions, they can be called with parameters, allowing you the flexibility to set up various scenarios for each website.

Since version 2.4.6 of Apache, the macro module comes loaded by default on most Linux distributions. To check if your installation of Apache has the macro module loaded, run the following command:

a2enmod macro

Macro Examples

Here are two examples of macros I created for HTTP and HTTPS:

HTTP

Edit 000-default.conf

<Macro VHostHTTP $host>
<VirtualHost *:80>
	ServerName $host

	Redirect "/" "https://$host/"
</VirtualHost>
</Macro>

# VHostHTTP	$host
Use VHostHTTP	google.com
Use VHostHTTP	google.hns

HTTPS

Edit default-ssl.conf

# SSL Cert For ICANN Domain. With Let's Encrypt Certificates.
<Macro IcannSSL>
	SSLCertificateFile /etc/ssl/letsencrypt/certificate.crt
	SSLCertificateKeyFile /etc/ssl/letsencrypt/private.key
</Macro>

# SSL Cert For Handshake Domain. With Self-Sign Certificates.
<Macro HandshakeSSL>
	SSLCertificateFile /etc/ssl/Handshake/certificate.crt
	SSLCertificateKeyFile /etc/ssl/Handshake/private.key
</Macro>

<Macro VHostHTTPS $host $dir $ssl>
<VirtualHost *:443>
	ServerName $host
	DocumentRoot "$dir"

	SSLEngine on
	Use $ssl
</VirtualHost>
</Macro>

# VHostHTTPS	$host		$dir		$ssl
Use VHostHTTPS	google.com	/var/www/google	IcannSSL
Use VHostHTTPS	google.hns	/var/www/google	HandshakeSSL

In each macro, I have passed three parameters except for HTTP, which has one. They are:

• $host - used to identify the hosted domain name of the VirtualHost
• $dir - the root directory of the Website serving the VirtualHost
• $ssl - used to identify which SSL cert we want to use in VirtualHost

The takeaway from using macros in your Apache configuration is that it simplifies setup, and your configuration files become less prone to errors. Macros can be used not only in a development environment but also in a production environment. You are only limited by your server configuration and imagination. For more information, check out the Official Apache Docs

NGINX Config

Edit nginx.conf

# Redirect HTTP To HTTPS
server {
	listen 80;
	listen [::]:80;
	server_name google.com google.hns;

	return 308 https://$host$request_uri;
}

# ICANN Domain with Let's Encrypt Certificates.
server {
	listen 443 ssl;
	listen [::]:443 ssl;
	server_name google.com;

	root /var/www/google;

	ssl_certificate /etc/ssl/letsencrypt/certificate.crt;
	ssl_certificate_key /etc/ssl/letsencrypt/private.key;
}

# Handshake Domain with Self-Sign Certificates.
server {
	listen 443 ssl;
	listen [::]:443 ssl;
	server_name google.hns;

	root /var/www/google;

	ssl_certificate /etc/ssl/Handshake/certificate.crt;
	ssl_certificate_key /etc/ssl/Handshake/private.key;
}

Modified: December 19, 2021