In 2008 we decided that should work again (well, for www and ssh traffic).

Originally we did this by pointing it at deathray, using jumpgate to forward the ssh traffic to login, and using apache to re-write www onto the addresses. This worked great, but because the ssh traffic was coming via deathray it wasn't caught by fail2ban.

So, is now an A record for (the service ip for login). For the www subdomain traffic apache is installed on azazel. Apache redirects all traffic to www subdomain

redirect 301 /


We have a wildcard cert from rapidssl to cover all out subdomains but this doesnt include, so we've certbot set up on azazel to use LetsEncrypt for and certbot lives in /local/usr/sbin and has a cron set to run at 02:30 and 14:30 everyday. It logs to /var/log/le-renew.log

External docs