CODEWITHSUNDEEP
dockersslnginxdevops
Liam
Liam

Reputation: 965

dynamic ssl certificate with nginx

I had a Shopify-like application. So, my customer get sub-domain when they create store(i.e customer1.myShopify.com).

to handle this case of dynamic sub-domains with nginx:

server {
    listen 443 ssl;
    server_name admin.myapp.com;

    ssl_certificate /etc/letsencrypt/live/myapp/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/myapp/privkey.pem;

    location / {
        proxy_pass http://admin-front-end:80/;
        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $host;
    }
}


server {
    listen 443 ssl;
    server_name *.myapp.com;

    ssl_certificate /etc/letsencrypt/live/myapp/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/myapp/privkey.pem;

    location / {
        proxy_pass http://app-front-end:80/;
        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $host;
    }
}

this works great so if you visit admin.myapp.com you'll see the admin application and if you visit any xxx.myapp.com you'll see the shop-front-end application.

The Problem

I want to allow my customer to connect their own domain. so I told them to connect with CNAME and A Record.

A Record => @ => 12.12.12.3(my root nginx ip)

CNAME => WWW => thier.myapp.com

not each request to customer.com will resolved by my nginx.

so I added this configuration to my nginx, to catch all other server_name request:

server {
        listen  80;
        server_name  server_name ~^.*$;
        location / {
            proxy_pass http://app-front-end:80/;
            proxy_set_header X-Real-IP  $remote_addr;
            proxy_set_header X-Forwarded-For $remote_addr;
            proxy_set_header Host $host;
        }
}

and it works fine.

but how can I handle SSL for this case? because it could be any domain name.I don't know what the customer domain name will be.

how i can give them the ability to add SSL certificate automatically and without create manually ?

Upvotes: 7

Views: 4962

Answers (4)

Rahul Sharma
Rahul Sharma

Reputation: 5995

This server block should work since variable names are supported for ssl_certificate and ssl_certificate_key directives.

http {

    map "$ssl_server_name" $domain_name { ~(.*)\.(.*)\.(.*)$ $2.$3; }

    server {
        listen  443;
        server_name  server_name ~^.*$;

        ssl_certificate /path/to/cert/files/$domain_name.crt;
        ssl_certificate_key /path/to/cert/keys/$domain_name.key;

        location / {
            proxy_pass http://app-front-end:80/;
            proxy_set_header X-Real-IP  $remote_addr;
            proxy_set_header X-Forwarded-For $remote_addr;
            proxy_set_header Host $host;
        }
    }
}

P.S. Using variable names would compromise performance because now nginx would load the files on each ssl handshake.

Ref: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate

Upvotes: 13

Sehrish Waheed
Sehrish Waheed

Reputation: 1565

I suggest using separete block with different ssh certificates thats the only solution that worked for me

   server {
    listen 80;
    root /var/www/html/example1.com;
    index index.html;
    server_name example1.com;
    ssl_certificate /etc/letsencrypt/live/example1.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example1.com/privkey.pem;
    location / {
    try_files $uri $uri/ =404;
     }
   }

   server {
     listen 80;
     root /var/www/html/example2.com;
     index index.html;
     server_name example2.com;
     ssl_certificate /etc/letsencrypt/live/example2.com/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/example2.com/privkey.pem;
     location / {
     try_files $uri $uri/ =404;
    }
  }

Upvotes: 0

Harsh Manvar
Harsh Manvar

Reputation: 30120

In VM you can use the certbot for managing the SSL/TLS certificate.

Now if you are using the HTTP-01 method to verify your domain you won't be able to get the Wild card domain name.

i would suggest to use the DNS-01 method in cert-bot for domain verification and you can get the wild card certificate and use it.

Adding the certificate to Nginx config using :

ssl_certificate /path/to/cert/files/tls.crt;
ssl_certificate_key /path/to/cert/keys/tls.key;

If you are using the certbot it will also auto inject and add the SSL config above lines to the configuration file.

For different domains also you can run the job or certbot with HTTP-01 method and you will get the certificate.

If you are on Kubernetes you can use the cert-manager, which will be managing the SSL/TLS certificate.

Upvotes: 0

Siddique Ahmad
Siddique Ahmad

Reputation: 127

In my view instead of compromising the nginx performance, we should use one cron job, say letsencrypt bot, which will fetch certificate based on user requested domain, and you can add the certificate in nginx conf, and restart server.

Bonus:

I have used traefik which is kubernetes based solutions, they load configs on the fly without the restart.

Upvotes: 0

Related Questions