A lot of times I've seen questions about how this works when you have multiple nodes or a CDN, it can be quite tricky in theory if you have random IPs or several IPs. The way certbot works at least for non-DNS challenges is that it will hit a random server that it resolves to, you have no control over which one it hits. If certbot hits node 1 at first to tell it to create the well-known file, then checks node 2 or any other node, you will find auhorization fails.........

If you run nginx behind a CDN, you will by default see the proxy/CDNIPinstead of the real client. Edit the global http { part of nginx.conf and add this: # 1. Specify the IP address of your trusted proxy/load balancer set_real_ip_from 1.2.3.4; set_real_ip_from 5.2.3.4; # 2. Specify which header contains the real client IP real_ip_header X-Forwarded-For;........

The client needs a new connection for this request as the requested host name does not match the Server Name Indication (SNI) in use for this connection. Before reading this, I assume you've done all the proper troubleshooting and you are 100% sure the CDN and backend server is configured correctly. This can often happen........

Add this to your Apache config: LoadModule log_forensic_module modules/mod_log_forensic.so Restart Apache Set the location of the forensic log. ForensicLog /var/log/apache2/forensic.log Here is an example of an entry in forensic: +16831:68ca525e:3c5|GET /some/url HTTP/1.1|sec-fetch-dest:document|user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15........

We've had clients asking why their CDNis not working, it is often a PHPsetting that causes the below header to be sent: expires: Thu, 19 Nov 1981 08:52:00 GMT Solution Edit your /etc/php.ini Set the option below as just being empty. Generally the default is nocache and will result in sending the expires header from 1981. session.cache_limiter = Here is what the man says about th........

Your frontend CDN (eg. Cloudflare or even your own load balancer/proxy) must be sending the X-Forwarded-For and you must be running Apache on the backend. This solves the problem where your logs and services will only see the proxy/CDN IP and not the real client IP. modremoteip is the most modern and current working solution Step 1.) Enable remoteip a2enmod remoteip Step 2.) Edit/Enable the correct config Edit t........

haproxy is one of the best known and widely used Open Source load balancers out there and a strong competitor to nginx. haproxy is used by many large sites per Wikipedia: HAProxy is used by a number of high-profile websites including GoDaddy, GitHub,........