Press "Enter" to skip to content

Making sites easier to host

Published 23 May 2026 by Spots

Note: This is another techie post. We will be back to puppy content tomorrow. And yes, I do mean puppies! Dalmatian puppies! Little spotted dogs that bark and wag their tails!

I am running a lot of websites for my friends and family, in addition to myself:

awilcox on kelsey /srv/www $ ls | wc -l
21

So I have devised a system to keep it all easy to manage and maintain.

I have a subdirectory of the Apache configuration directory called sites.d. Inside this, there are two files for each domain hosted:

awilcox on kelsey /etc/apache2/sites.d $ ls | wc -l
42

The first file is named after the domain itself. For example, this is coding.dalmatian.life:

ServerName coding.dalmatian.life
DocumentRoot [path]

<Directory [path]>
	AllowOverride none
	Options +Indexes
	Require all granted
</Directory>

Header set Content-Security-Policy "style-src https:; base-uri 'self'; script-src 'none'; object-src 'none'"
Header set Referrer-Policy "no-referrer-when-downgrade"
Header set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "Deny"
Header set X-XSS-Protection "1; mode=block"

And the second is the same name, but with the TLD replaced with conf. This is coding.dalmatian.conf:

MDomain coding.dalmatian.life

<VirtualHost *:80>
	Include sites.d/coding.dalmatian.life
</VirtualHost>

<VirtualHost *:443>
	SSLEngine on
	Include sites.d/coding.dalmatian.life
</VirtualHost>

You may be asking two questions now:

  1. Why not use VirtualDocumentRoot?
    Because enough domains vary other settings that it wouldn’t save a lot of hassle. For instance, powerpc.dev doesn’t have an HSTS (even though browsers will typically have it preloaded from the .dev TLD). This is so that older systems that can understand HSTS but not understand TLS (i.e. before the .dev TLD existed, so before TLS 1.2/1.3) won’t upgrade and be impossible to view.
    Also, because I typically use custom logs for not-me sites, so that the log files are more anonymous in case the friend or family member in question wants to view them. (I don’t want to violate the privacy of anyone on the Web, so I typically scrub IPs, replacing them with a non-reversible UUID.)
  2. Why allow :80?
    There are two reasons. One is so that, if you type the domain raw into the browser, you get the HTTPS redirect. The second is that, on very old clients, you can still access the site. Sites that transact, or have privacy-concerning content, don’t have the same block. (They only have a redirect rule, such as Redirect permanent / https://…/.)

This all came to my head because I’m helping one of my younger friends set up a site hosted on my server. It’s been a joy to teach him how to use WinSCP and see him making his first pages, just like I did so many years ago.

Tech literacy matters, everyone. I’m quite proud to share both my knowledge and my server resources with my friends. I encourage everyone able to do the same. Indie content, fun content, weird content, beautiful content. The Web deserves more!

Published in Random Thoughts and Tech Stuff

Leave a Reply

Your email address will not be published. Required fields are marked *