Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Araik2019-10-10 00:33:13
Nginx
Araik, 2019-10-10 00:33:13

How to properly configure nginx for multiple sites with SSL on the same ip?

Good afternoon, tell me how to properly configure Nginx, with the following:
One www directory for all sites i.e. all sites work with one CMS located in var/www/html
Many domains - at the moment about 10, potentially tens-hundreds.
Domains can be with or without SSL.

  1. Is it possible to somehow dynamically pick up certificates if they are in a certain directory, or do they need to be registered separately for each domain?
  2. Maybe you can do something so that the configuration file is not so huge, include settings from a specific folder in which to add settings for domains?
  3. Maybe you can somehow configure it so that when adding a site (domain) it was not necessary to edit the config file?

Ubuntu 18.04
Nginx version: nginx/1.14.0 (Ubuntu)
built with OpenSSL 1.1.1 11 Sep 2018
TLS SNI support enabled
This is what the config looks like now:
server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name _;

        # SSL configuration
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;
        server_name _;

        set $sathost $host;
        if ($host~^(www\.)?(.+)$) {
                set $sathost $2;
        }

        ssl_certificate /var/crt/$sathost/certificate.crt;
        ssl_certificate_key /var/crt/$host/certificate.key;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;

        keepalive_timeout 60;
        add_header Strict-Transport-Security 'max-age=604800';
        root /var/www/html;
        index index.php index.html index.htm index.nginx-debian.html;
        location / {
                try_files $uri $uri/ =404;
        }
        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
                fastcgi_param HTTPS on;
        }

        location ~ /\.ht {
                deny all;
        }
}

neither $sathost, nor $host, nor $server_name in the path to the certificates work and give an error:
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/var/crt/$host/certificate.key") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/var/crt/$host/certificate.key','r') error:20074002:BIO routines:file_ctrl:system lib error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib)
nginx: configuration file /etc/nginx/nginx.conf test failed

UPDATE
You cannot use variables in every directive. ssl_certificate is treated as a literal string and is one of many directives where variables are not supported.

Actually, this solution doesn't seem to work.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
N
NillR, 2019-10-10
@NillR

> Maybe you can somehow configure it so that when adding a site (domain) it was not necessary to edit the config file?
There is a fork of nginx's OpenResty, with the addition of some features, I even remember there was lua-resty-auto-ssl for it , which, when it first accessed the domain, briskly ran for the certificate and generated it. Was useful before LE started issuing wildcards.
Now it's easier to make wildcards for all your second-level domains and use them on all third-level domains.
> Ubuntu 18.02
This doesn't happen. Ubuntu comes in .04 and .10, once (in 2006) was .06
> Nginx version: nginx/1.14.0 (Ubuntu)
It is recommended to use either the current stable or even the current mainline. There is a repository from developers. The distribution is old. But that's just a tip

Report
M
Mysterion, 2019-10-10
@Mysterion

1) You can. But it's better to statically write the path to each certificate for each domain. You can use the $server_name variable in the path to the certificate. But if the certificate is not there, nginx will not start.
2) You can .
3) You can . You can make the host default and then all domains that were not added to the server will look where the default host leads. That is, as if addressed by IP. But then SSL will not work for them. Although, you can try to pick up dynamically, see point 1.
Make one wildcard certificate for all domains. You can hang 100 domains for one certificate in LetsEncrypt, and if you buy a paid one, then 240 pieces.

Report
V
Viktor Taran, 2019-10-10
@shambler81

1. The most logical option is to put vtstacp ispconfig3 braynicp bitrix-vm to choose from and generate certificates in the web face when creating a site.
2. since there is only one site and the rest of the sites are in fact alias, then generate them as alias
-d syte.ru -d ya.ru -d vk.ru ...
actually certificates will be issued for each new site.
It is possible to make a script on the edge that would look at the names of the sites, the presence of A records leading to this server and start the generation, recently I once did this.
just for multisite ;)

Similar questions
M
Marat2015-09-18 10:07:18
Is there a plugin to help when entering procedure functions? 1Reply
D
Dmitry2015-08-31 08:24:54
Why doesn't nginx recompress scripts like path.js?ver=4.3? 2Reply
L
lolka022020-01-10 14:53:37
Why is an incomprehensible file (nginx) downloaded when I go to the domain home page? 1Reply
F
Filantropp2020-01-10 18:20:43
Nginx, rewrite - how to change the URL in the address bar? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question