In my little virtual-hosts config with nginx I encountered a new problem.
I tried to setup a "webmail" subdomain for every one of my virtual hosts using a server_name wildcard
server_name ~^(webmail\.)?(?<domain>.+)$;
as all my domains have their own ssl-certificate I would like to use the right one for the webmail-subdomains too. The certificates are configured as wildcard-certs as in *.domain1.com etc.
So webmail.domain1.com should use the cert for *.domain1.com whereas webmail.domain2.net should use the *.domain2.net cert.
I tried the following as a first guess but could not start nginx because it does not accept the variable in the path:
ssl_certificate /etc/letsencrypt/live/$domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$domain/privkey.pem;
Is there a way to achieve this configuration with a single config-file covering all webmail.* subdomains?
Yes, but not the way you are hoping...
The problem you have is that nginx needs to terminate the SSL before it can read the stream content to get the Host header to set the server_name to decide which certificate and key are needed to terminate the SSL. That's why variables and maps will never work, because they can't yet exist at the point when nginx needs to read the certificate.
(I believe there are Lua functions in OpenResty that deal with certificate handling, but I think this is more about certificate life-cycles rather than choosing one on-the-fly per request which is what you want.)
The way to achieve this is to script your conf generation, using perl, python, bash, whatever you're comfortable with. Describe a common server block template that only needs to be given the domain name, and generate a copy of that for each domain. They can be all in one file, or included from separate files, whatever works for you.
Tip: If you name a conf file with a dot prefix, like .server-tpl.conf, then it will be ignored by the usual include conf.d/*.conf. That way, you can keep this template together with your other conf files, but only the populated copy(s) will be loaded.
Related
I am running a virtual server (Ubunto, Plesk 12). For the vhosts the settings are stored in httpd.conf, which is generated by Plesk.
When having activated SSL-Support in Plesk, then Plesks default certificate is referenced, even when no certificate has been selected. Trying to override this value via vhost_ssl.conf results in Apache not being able to start/ restart. My tech support told me, that Apache is trying to bind both certificates then, instead of overriding the SSLCertificateFile directive.
When having SSL-Support deactivated in Plesk, then all directives regarding SSL (< IfModule mod_ssl.c >) are missing in httpd.conf. I guess additional directives within vhost_ssl.conf wont work then.
Is there any other way to replace/ override the default certificate? It is no option to put the setting into httpd.conf directly (iE via VI), because once I make a change in Plesk related to this file, it is overwritten. It is also no option, to put the certificates keys into Plesk, because they need to be updated regulary and I dont want to do that manually every time.
You can apply your certificate for domain if you upload certificate to subscription's repository here:
Also you can try LetsEncrypt extension from Extensions Catalog.
By the way, Plesk's LetsEncrypt extension updates all it's certificates by cron task every month:
Is it possible to configure dynamic SSL certificate path in nginx same as like dynamic virtual host.
ssl_certificate and ssl_certificate_key are not accepting the variables in nginx.
Thanks
Unfortunately, it's not possible because nginx needs to load the whole SSL server configuration at start time.
Source: https://t37.net/the-good-the-bad-and-the-ugly-of-virtual-hosting-with-nginx.html
Since Nginx version 1.15.9 variables are supported in "ssl_certificate" and "ssl_certificate_key" directives.
You can load them dynamically by using lua.
You need to figure out how you want to map and fetch them though.
Here is an example of loading them from a database:
https://github.com/Vestorly/nginx-dynamic-ssl/blob/master/conf/nginx.conf
You can refer shared video to make it happen.
Here you can pass dynamic variable with ssl param in nginx.conf.
https://www.youtube.com/watch?v=aeLE988jmlo
Variable is $ssl_server_name.
Store your SSL certificate with name of domain name.
ex. example.com.cert
With Apache's mod_vhost_alias you can use Directory Interpolation to serve sites based on directory structure. See here http://httpd.apache.org/docs/2.2/mod/mod_vhost_alias.html#interpol
Is this possible with NGINX? if so how?
The simplest one would be:
server {
listen 80 default_server;
root /var/www/$host;
}
For http://www.example.com/directory/file.html this will serve file /var/www/www.example.com/directory/file.html.
I've just found out through randomly searching for something else that the exact same functionality as Apache's Directory Interpolation (and more) can be achieved using regex, for example...
server_name "~^(?<machine>.*?)\.(?<domain>.*?)\.(?<group>.*?)\.dev$";
root "/some/place/projects/$group/$domain/$machine";
For anyone coming here wanting to auto manage their local webserver setup, I found these useful to take care of the DNS side of things
https://echo.co/blog/never-touch-your-local-etchosts-file-os-x-again (mac)
http://mayakron.altervista.org/wikibase/show.php?id=AcrylicHome (win)
At the moment I am using nginx as my webserver. Some time ago I found out about Server Name Indication (SNI), which was very helpful since I have a couple domains (including all the subdomains) running from my server.
So exited as I was, I put a ssl-certificate on my main domain and a couple of subdomains on my server. Works great, no problem :D
(the reason I didn't just use a wildcard-certificate is because I am using http://www.startssl.com/ which provides me with free ssl-certificates, but for wildcard I will have to pay, and my server isn't that important for that, it's merely a hobby-project)
So on to the question:
If someone browses to a non-existing (sub)domain, or one that does not have an certificate installed, they get of course a big warning in there browser, because nginx served the default certificate which of course does not match that non-existing domain.
I was wondering, would it be possible to tell nginx if the sni-system gets asked for a non-exisiting domain-name, to just terminate the connection or maybe do something so instead of a name-mismatch warning there will appear some other warning in the browser saying the site does not exist (if even such a system does exist...)
I know one solution: take away the wildcard-dns-record so non-existing will indeed not exist, but that doesn't help for the ones that exist, but not on https. Also with that I cannot easily just add a new subdomain and have to also edit dns-settings for it. (I know, I am lazy, but which nerd isn't :P)
Oh and if such thing is not possible I'll just have to live with the way it is now, not that big of a deal, but it would make my server less 'cooler' xd (im sorry, im just a random tech-hobbyist).
Just don't use SSL for subdomains :)
eg
server {
listen 80;
listen 443;
server_name example.com;
...
}
server {
listen 80;
server_name *.example.com;
...
}
Turns out the answer by SuddenHead was almost the solution. It needed just a tiny little additional step. I already had done what SuddenHead said, but if you would visit a non-existing subdomain, or a subdomain that doesnt have ssl it would just serve the first ssl-enabled subdomain it can find. The solution turns out to be very simple. Make sure you add a server-block to the nginx-config and make sure it is the first one nginx will read:
server {
listen 80 default_server;
listen 443 default_server;
return 404;
}
This will also serve a 404-page to any non-existing subdomain (something i also wanted, if not desired, I think omitting the listen 80 rule should work) and because no ssl-certificate details are specified, accessing this on https gives an error about an ssl-connection that could not be established, instead of a domain-mismatch-error with warnings about something could be wrong and stuff. This is basically exactly what I was looking for :D
Now I'm sure there are more 'nicer' ways to do this, but this does everything i need.
EDIT: I derped, by putting default_server in the listen directives, that of course breaks everything cause by default ssl would be broken... ooops. So im afraid i didn't think this thought and this isn't the solution after all :(
I am running a multi-language web store accessible from differents domains, that lead to different languages.
The apache configuration is quite complex and I would like to have one single file shared with all the stores. I had this in place until I had to introduce SSL.
When it comes to apache and SSL certificates I would need to do something like:
SetEnv is_es 0<br>
SetEnvIfNoCase Host .*es is_es 1<br>
SSLCertificateFile /etc/ssl/certs/spanish.server.crt env=is_es<br>
This is aparently not possible, apache tells me:
<i>SSLCertificateFile takes one argument, SSL Server Certificate file (`/path/to/file' - PEM or DER encoded)</i>
I was wondering if there is any workaround. My goal is to avoid having different copies of the same configuration and having to propagate manually any changes I want to make.
It is hosted on a dedicated server, so I am free to do any changes to the setup.
When you are on a https connection, the Host header is inside the SSL encapsulation, so you need the full SSL handshake before you check for an hostname for your virtualhost.
You should go for SSL certificates with SAN (Subject Alternative Names), this will allow that a single certificate for multiple hostnames. (or a wildcard cert)
All the main browsers supports it already:
http://www.digicert.com/subject-alternative-name-compatibility.htm
And you can get one of this certs from the majors CAs:
http://www.digicert.com/subject-alternative-name.htm
http://www.verisign.com/ssl/buy-ssl-certificates/subject-alternative-name-certificates/index.html
http://www.thawte.com/ssl/san-uc-ssl-certificates/index.html