Jeremy Davis's picture

  1. The certificate (and key) are what "owns" the domain. That is why it is super important that you do not allow the key to fall into the hands of anyone else (you need both the cert and the key).

    So even if your server has a valid certificate, if you browse to it via a different domain (if you have DNS configured to point an additional domain to the same server; e.g. a reverse proxy); or even an IP address using HTTPS, you will get a warning (the certificate that it provides, doesn't match the address you're using).

    So yes, simply copying it across is fine (FWIW, by default, we bundle the cert and key into the same file, but they are also available separately). So long as you have the configuration correct, then it should "just work".

  2. I don't have any sample config, but it's super simple. Just have the backend server redirect to plain HTTP and use "http://" stanzas within the reverse proxy... Again, it should "just work".

    The reference to URL spoofing is because when using vanilla HTTP (i.e. not HTTPS) there is absolutely no guarantee that the server is what it says it is (HTTPS provides that guarantee). A malicious actor can easily do a "man in the middle" attack (i.e. pretend to be the server you want to connect to and harvest the traffic).

  3. If you want to host multiple sites on a single server, then what you want to read about is "named based hosting".

    It's worth noting, that that's essentially what a reverse proxy does. The difference is that the reverse proxy hands the traffic off to another server. Also FYI, whilst lots of people rave about Nginix, IMO Apache is the easiest webserver to work with for this stuff (especially if you have no shortage of resources - it tends to be a bit "heavier" than Nginx)).

    Here's the relevant Apache doc page and here are some examples (again from the Apache docs).

Regardless, I get you with your comment on having a reverse proxy and multiple separate servers. The reverse proxy is still a single point of failure, but the added redundancy of separate servers is good IMO.

FYI I use Proxmox VE as my server "lab" host. It's also Debian based and has a pretty web UI, plus a powerful CLI. It includes other features too that I don't use (such as clustering) but it works awesome for my needs.

One of the beauties of it IMO, is that it supports/provides KVM (for "proper" VMs - including alternate OS, such as Windows) and LXC (container based hosting; which has extremely low overhead). LXC is awesome IMO, you get most of the advantages of a VM, with virtually no overhead (i.e. LXC containers run at near native hardware performance). TurnKey containers are actually available to download from within the PVE UI too! :) Or you can install from ISO if you want a "proper" VM. For my TurnKey development, I run multiple instances of TKLDev on KVM (i.e. installed from ISO).