VPS, DNS and Apache: how to create a subdomain for a new web service

If you bought a VPS and you are now running your website, maybe you want also to install a new self-hosted web service like a self-hosted git server or a cloud server to store your data in the cloud.

For example you would like to run Gogs but you don’t actually know how to setup a different folder on your vps in which store the service..

First of all you have to setup a new A record in the DNS zone on your admin panel. For example if you are running on OVH, the DNS zone should be under “Web > Domains > ‘mydomain’ > DNS Zone”. Inside this zone, you have to create a new A record (“Add an entry” button) pointing your new subdomain (mynewservice.mydomain.com) to your IPV4 (or IPV6 if you want to setup an AAAA record).

Here is an example:

After a while, the new subdomain will be spreaded over the network and you will be able to access to it.

Now let’s continue to setup your new service. Next step is to install your service on your vps (if you didn’t already). If you would like to run a self hosts git service like Gogs, you could follow this guide. After the installation of the new service, you should have on your vps a public folder where the new service is running, for example /home/myuser/publicservice/, depending on the particular installation of the new application.

We have now to link the service on our vps to the entire world using the subdomain that we have previously created. To achieve this goal we need the help of the webserver (Apache, Nginx etc…).

We are now going to tell to Apache how the requests from our new subdomain should be redirected to the /path/to/new/service.

The Apache folder is usally at /etc/apache2, so get inside this folder:

$ cd /etc/apache2/sites-available

Then we have to create a new VirtualHost in this way:

$ sudo vim mynewservice.mydomain.com.conf

Copy and edit the following snippet:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^/$ / [R]

<IfModule mod_ssl.c>
<VirtualHost *:80>
ServerName mynewservice.mydomain.com
DocumentRoot /absolute/path/to/service
Redirect permanent / https://mynewservice.mydomain.com/
<VirtualHost *:443>
	ServerAdmin admin@localhost

	#ProxyPreserveHost On
	#ProxyPass /
	#ProxyPassReverse /

	DocumentRoot /absolute/path/to/service
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
	ServerName mynewservice.mydomain.com
	ServerAlias mynewservice.mydomain.com
	AccessFileName .htaccess

	<Directory /absolute/path/to/service>
	Options FollowSymLinks
	AllowOverride All
	Order allow,deny
	allow from all
	Include /etc/letsencrypt/options-ssl-apache.conf
	SSLCertificateFile /etc/letsencrypt/live/mynewservice.mydomain.com/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/mynewservice.mydomain.com/privkey.pem

Remember then to enable it and restart Apache, running:

$ sudo a2ensite mynewservice.mydomain.com.conf
$ sudo systemctl restart apache2

The a2ensite command enables a new VirtualHost creating a soft link inside the /etc/apache2/sites-enebled folder. Use instead the a2dissite command (more options here) if you want to disable a VirtualHost:

$ sudo a2dissite mynewservice.mydomain.com.conf

Last thing to do is to generate an SSL certificate (we used the port 443 with the mod_ssl in the previous configuration that allows Apache to speak through HTTPS) for this new subdomain or you will get an error page like this one:

A very easy way to get a certificate in order to obtain your green lock is to use Let’s Encrypt (a free, automated, and open Certificate Authority) and, in particular, use CertBot. So simply go here, choose Apache (or your web server) and the operating system of your vps and follow the instruction on how generate the certificate.

If you want to generate a certificate for all subdomains via DNS you can run this command:

$ sudo ./certbot-auto certonly --manual --preferred-challenges=dns --server https://acme-v02.api.letsencrypt.org/directory --agree-tos

and follow the wizard. When asking the domains please note to type your domain and also the wildcard.

Please note that in this command you are requesting 2 types of certificates for 2 different types of domain (-d option): one for the wildcard (all the third level domains) and another one for your main domain.

This means that the wildcard certificate will not be valid if your webserver is serving the website as https://mydomain.tld instead of https://myservice.mydomain.tld.

..or you can use the Apache plugin wizard simply running for non wildcard certificates:

$ sudo ./certbot-auto --apache

An email will be sent when the certificate is close to the expiration date.

To renew manually non wildcard certificates run the command:

$ sudo ./certbot-auto certonly

and follow the wizard. Otherwise if you want to renew automatically (ex. in a cronjob) you can simulate a renewal with the following command:

$ sudo ~/certbot-auto renew --dry-run

and if it succeed you can create a cronjob (awesome crontab creator here) in the following way (at 12:00 on Sunday):

$ crontab -e
> 00 12 * * 0 ~/certbot-auto renew

Note that “renew” isn’t an interactive command.

To list all the certificates:

$ sudo ./certbot-auto certificates

The entire process is not obvious if you are trying this for the first time but the second time will be easier. The steps will be the same:

  • Create a subdomain pointing to your ip address (or CNAME) in your DNS dashboard
  • Install the application you want
  • Create a VirtualHost redirecting the traffic to the new application public folder
  • Enable SSL on the new subdomain

I hope I helped you to deploy a new web application. Ask me for everything else.


This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

Posted in: Web

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.