A
A
argenit2016-01-25 18:22:07
linux
argenit, 2016-01-25 18:22:07

How to set up SSL + Nginx on multiple domains on the same VPS?

Hello. There is one VPS with one IP address. It has several sites running on the Ajenti control panel via Nginx + Php-fpm
Now I am installing certificates from Lets Encrypt , they are free and are created for 1 domain. I created certificates for all sites according to this instruction and registered the settings in the configs. But only one site works, and nginx swears at the configs of other sites and does not want to load them. Well, when by some miracle other sites are launched, it says that the certificate was not issued for this domain and cannot be trusted.

Tell me what is wrong in the settings and how to connect the rest of the certificates ???

Here is an example of nginx.conf config

#AUTOMATICALLY GENERATED - DO NO EDIT!

user www-data www-data;
pid /var/run/nginx.pid;
worker_processes 1;
worker_rlimit_nofile 100000;

events {
    worker_connections  4096;
    include /etc/nginx.custom.events.d/*.conf;
}

http {
    default_type application/octet-stream;

    access_log off;
    error_log  /var/log/nginx/error.log crit;

    sendfile on;
    tcp_nopush on;

    keepalive_timeout 20;
    client_header_timeout 20;
    client_body_timeout 20;
    reset_timedout_connection on;
    send_timeout 20;

    types_hash_max_size 2048;

    gzip on;
    gzip_disable "msie6";
    gzip_proxied any;
    gzip_min_length 256;
    gzip_comp_level 4;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js;

    server_names_hash_bucket_size 128;

    include mime.conf;
    charset UTF-8;

    open_file_cache max=100000 inactive=20s;
    open_file_cache_valid 30s;
    open_file_cache_min_uses 2;
    open_file_cache_errors on;

    server_tokens off;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    include proxy.conf;
    include fcgi.conf;

    include conf.d/*.conf;
    include /etc/nginx.custom.d/*.conf;
}

include /etc/nginx.custom.global.d/*.conf;

And here is another example of a config for a site from the conf.d folder
#AUTOMATICALLY GENERATED - DO NO EDIT!
server {
    listen *:80;
    server_name домен;
    access_log /var/log/nginx/домен.access.log;
    error_log /var/log/nginx/домен.error.log;

    root /srv/домен;
    index index.html index.htm index.php;

     listen 443 ssl spdy deferred;
 ssl on;
 ssl_session_timeout 24h;
 ssl_certificate /etc/letsencrypt/live/домен/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/домен/privkey.pem;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
 ssl_session_cache shared:SSL:10m;
 add_header Strict-Transport-Security "max-age=31536000;";
 resolver 8.8.8.8 8.8.4.4 valid=300s;
 ssl_stapling on;
 ssl_stapling_verify on;
 resolver_timeout 10s;
 spdy_keepalive_timeout 300;
 spdy_headers_comp 9;
 ssl_dhparam /etc/letsencrypt/live/домен/dhparam.pem;
 
 # This order might seem weird - this is attempted to match last if rules below fail.
location / {
  try_files $uri $uri/ /index.php?$args;
}

# Add trailing slash to */wp-admin requests.
rewrite /wp-admin$ $scheme://$host$uri/ permanent;

# Directives to send expires headers and turn off 404 error logging.
location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
       access_log off; log_not_found off; expires max;
}

location = /favicon.ico {
  log_not_found off;
  access_log off;
}
location = /robots.txt {
  allow all;
  log_not_found off;
  access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\. {
  deny all;
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
  deny all;
}
#



    
    
    location ~ [^/]\.php(/|$) {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_param HTTPS on; # Для php-fpm
        
        fastcgi_index index.php;
        include fcgi.conf;
        fastcgi_pass unix:/var/run/адрес сокета пхп фпм.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
}

Answer the question

In order to leave comments, you need to log in

1 answer(s)
I
Igor Vorotnev, 2016-01-25
@HeadOnFire

To support several different sites and certificates on one IP, SNI (Server Name Indication) is used. In the server console, run nginx -V - there should be a line "TLS SNI support enabled". If not, what version of Nginx? I suspect that it is a little old, since you are using SPDY. And this is a separate question - why use SPDY if HTTP / 2 has been around for a long time.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question