I would like to white labeling a site with SSL support for multiple different domain name like site1.com, site2.com etc.
I need for that to add multiples certs on the same server_name.
Do you know if it's possible and how to achieve that?
An example of what I want:
server {
listen 443;
server_name whitelabeling.example.com;
# Key 1
ssl_certificate /var/www/ssl/cert1.crt;
ssl_certificate_key /var/www/ssl/key1.key;
# Key 2
ssl_certificate /var/www/ssl/cert2.crt;
ssl_certificate_key /var/www/ssl/key2.key;
#Key 3
...
}
Related
Can we add ssl directive inside if condition?
I want to achieve something like:
if ($host ~ "^localhost") {
ssl on;
ssl_certificate /home/ssl/nginx.crt;
ssl_certificate_key /home/ssl/nginx.key;
}
If the host is localhost then apply ssl otherwise don't.
Is this possible in nginx.conf?
I have this NGINX configuration as follows:
# jelastic is a wildcard certificate for *.shared-hosting.xyz
server {
listen 443;
server_name _;
ssl on;
ssl_certificate /var/lib/jelastic/SSL/jelastic.chain;
ssl_certificate_key /var/lib/jelastic/SSL/jelastic.key;
}
# fullchain2 is a certificate for custom domain
server {
listen 443 ssl;
server_name my-custom-domain-demo.xyz www.my-custom-domain-demo.com;
ssl_certificate /var/lib/nginx/ssl/my-custom-domain-demo.xyz/fullchain2.pem;
ssl_certificate_key /var/lib/nginx/ssl/my-custom-domain-demo.xyz/privkey2.pem;
}
# additional configuration for other custom domains follows
The NGINX server receives requests with host having a pattern like of *.shared-hosting.xyz, e.g. website1.shared-hosting.xyz, website2.shared-hosting.xyz
and also with variable hosts having different domains like my-custom-domain-demo.xyz or another-custom-domain-demo.xyz etc.
Now the problem is the lower server NGINX configuration overrides the upper configuration. Having it, the upper does not work anymore,
and accessing *.shared-hosting.xyz returns certificate error, and browser is telling the certificate is for my-custom-domain-demo.xyz only.
What can be done with this such that the lower NGINX config triggers for *.shared-hosting.xyz domains and every other additional server configuration will not trigger
when host is in the pattern of *.shared-hosting.xyz?
The server_name _; is irrelevant (and is not required in modern versions of nginx). If a server with a matching listen and server_name cannot be found, nginx will use the default server.
In the absence of a default_server suffix to the listen directive, nginx will use the first server block with a matching listen.
If your configurations are spread across multiple files, there evaluation order will be ambiguous, so you need to mark the default server explicitly.
Try this for the jelastic server block:
server {
listen 443 ssl default_server;
ssl_certificate /var/lib/jelastic/SSL/jelastic.chain;
ssl_certificate_key /var/lib/jelastic/SSL/jelastic.key;
...
}
See this document for more.
we have for our domain.tld two certificates. One with EV (for domain.tld and www.domain.tld) and wildcard for subdomains.
Our website is running on www.domain.tld (always) and subdomains are used for images (img.domain.tld).
We are using nginx "virtual hosts":
server {
# listen 443;
listen 443 ssl spdy;
server_name domain.tld *.domain.tld;
ssl on;
# wildcard
ssl_certificate /usr/local/nginx/cert/wildcard/uni_STAR_domain_tld.crt;
ssl_certificate_key /usr/local/nginx/cert/wildcard/wildcarddomain.tld.key;
...
server {
# listen 443;
listen 443 ssl spdy;
server_name www.domain.tld;
ssl on;
# EV
ssl_certificate /usr/local/nginx/cert/wildcard/EV_cert_domain_tld.crt;
ssl_certificate_key /usr/local/nginx/cert/wildcard/EV.cert.domain.tld.key;
...
Problem is that sometimes is for www.domain.tld used EV certificate and sometimes wildcard certificate. Why?
We are running on single dedicated IP address, but nginx has SNI support enabled.
When you think the wildcard show up in www.domain.tld (instead of the EV) can you check the details of the certificate ? Maybe it's the EV :
Due to mixed content, the browser can decide to not show the EV green bar.
https://support.mozilla.org/fr/questions/932768
https://www.w3.org/TR/mixed-content/
I need to use Nginx as an SSL proxy, which forwards traffic to different back ends depending on the subdomain.
I have seem everywhere that I should define multiple "server {" sections but that doesn't work correctly for SSL. Doing that I would always have the SSL being processed in the first virtual host as the server name is unknown until you process the https traffic.
Scenario:
One IP address
One SSL wildcard wildcard
Multiple backends which needs to be accessed like the following:
https://one.mysite.com/ -> http://localhost:8080
https://two.mysite.com/ -> http://localhost:8090
Nginx says "if" is evil: http://wiki.nginx.org/IfIsEvil, but what else can I do?
I have tried this, but it doesn't work, I get an 500 error but nothing in the error logs.
server {
listen 443;
server_name *.mysite.com;
ssl on;
ssl_certificate ssl/mysite.com.crt;
ssl_certificate_key ssl/mysite.com.key;
location / {
if ($server_name ~ "one.mysite.com") {
proxy_pass http://localhost:8080;
}
if ($server_name ~ "two.mysite.com") {
proxy_pass http://localhost:8090;
}
}
Has anyone managed to accomplish this with Nginx? Any help/alternatives, link, would be much appreciated.
I found the solution which is basically to define the SSL options and the SSL certificate outside the "server" block:
ssl_certificate ssl/mysite.com.crt;
ssl_certificate_key ssl/mysite.com.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+EXP;
ssl_prefer_server_ciphers on;
server {
listen 80;
server_name *.mysite.com;
rewrite ^ https://$host$request_uri? permanent;
}
server {
listen 443 ssl;
server_name one.mysite.com;
ssl on;
location / {
proxy_pass http://localhost:8080;
}
}
server {
listen 443 ssl;
server_name two.mysite.com;
ssl on;
location / {
proxy_pass http://localhost:8090;
}
}
Key things:
"ssl on;" is the only thing that needs to be within the "server" blocks that listen in https, you can put it outside too, but what will make the "server" blocks that listen in port 80 to use https protocol and not the expected http.
Because the "ssl_certificate", "ssl_ciphers: and other "ssl_*" are outside the "server" block, Nginx does the SSL offloading without a server_name. Which is what it should do, as the SSL decryption cannot happen based on any host name, as at this stage the URL is encrypted.
JAVA and curl don't fail to work now. There is no server_name - host miss match.
The short answer is to use Server Name Indication. This should work by default in common browsers and cURL.
according to http://www.informit.com/articles/article.aspx?p=1994795, you should indeed have two "server" sections, with two different server names.
In each one, you should include your ssl_* directives.
I would like to have two domains, each with their own SSL cert, each SSL cert has its own IP of course, to point to the same web site on one physical server. The server will have to have two IPs too of course. What is this called? How is this done with nginx? OS is Linux. Thanks!
Create two server entries with different listen and ssl_certificate(_key) directives using the different IP addresses but the same root where your shared web pages are stored. For example:
server {
listen 1.2.3.4:443;
server_name first-domain.example;
root /srv/html/shared_domain_data;
ssl on;
ssl_certificate /etc/nginx/ssl/first_domain.pem;
ssl_certificate_key /etc/nginx/ssl/first_domain_key.pem;
}
server {
listen 9.8.7.6:443;
server_name second-domain.example;
root /srv/html/shared_domain_data;
ssl on;
ssl_certificate /etc/nginx/ssl/second_domain.pem;
ssl_certificate_key /etc/nginx/ssl/second_domain_key.pem;
}
It's called nothing special.