A virtual host (vhost) is a term used in web server administration to refer to the ability of a web server to serve multiple websites or domains on the same physical server.
A virtual host works by using the HTTP Host header in the request to determine which website or domain the request is intended for. The web server then serves the appropriate content for that website or domain.
For example, if you have a web server running on your computer, and you want to serve two different websites, example.com and example.net, you can create two virtual hosts in the web server configuration. Each virtual host would be configured to serve a different set of files, and the web server would use the HTTP Host header to determine which virtual host to use for each request.
Virtual hosting is a key feature of modern web servers, as it allows a single server to host multiple websites or domains, reducing the cost and complexity of web hosting.
To make a virtual host (vhost) configuration for Nginx that is ready for production use with HTTPS and includes all security headers, you can follow these steps:
Obtain an SSL/TLS certificate for your domain from a trusted certificate authority (CA) such as Let's Encrypt, and install it on your server. This can be done using the Certbot tool or another ACME client.
Create a new Nginx configuration file for your virtual host in the
/etc/nginx/conf.d/directory. For example, you can create a file namedexample.com.conf.Add the following server block to the configuration file, replacing
example.comwith your own domain name:
nginx confserver { listen 80; listen [::]:80; server_name example.com; return 301 https://$server_name$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name example.com; # SSL/TLS configuration ssl_certificate /path/to/your/certificate; ssl_certificate_key /path/to/your/private/key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers on; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # Security headers add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options SAMEORIGIN; add_header X-XSS-Protection "1; mode=block"; add_header Referrer-Policy "strict-origin-when-cross-origin"; # Location blocks location / { # Your application configuration goes here } # Other location blocks go here }
In the SSL/TLS configuration block, replace
/path/to/your/certificateand/path/to/your/private/keywith the paths to your SSL/TLS certificate and private key files.The SSL/TLS configuration block uses modern ciphers that provide strong encryption and forward secrecy. You can customize the
ssl_ciphersparameter to match your security requirements.The
add_headerdirectives add the recommended security headers to the server response. You can customize these headers as needed.In the
locationblock, configure your application to handle requests for the domain.Save the configuration file and test it for syntax errors by running the command
sudo nginx -t.If there are no syntax errors, reload Nginx by running the command
sudo systemctl reload nginx.to configure the
location /block to serve static files and pass all other requests to a backend server:
nginx conflocation / { # Serve static files directly try_files $uri $uri/ =404; # Pass all other requests to a backend server proxy_pass http://backend-server; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; }
try_files directive tells Nginx to try serving the requested file directly, and if it's not found, return a 404 error. This is a common way to serve static files from the server.The proxy_pass directive tells Nginx to pass all other requests to the specified backend server. The proxy_set_header directives set the Host, X-Real-IP, and X-Forwarded-For headers, which are commonly used by backend applications to identify the client and the original request.