Multiple ssl certificates within single server {} block

Server NGINX
1

Hi

I was wondering if there’s any way to have a configuration like this?

 server
 {
     listen 80;
     listen 443 ssl;

     ssl_certificate     www.example.com.cer;
     ssl_certificate_key www.example.com.key;
     ssl_certificate     www.test.com.cer;
     ssl_certificate_key www.test.com.key;
     ssl_certificate     www.something.com.cer;
     ssl_certificate_key www.something.com.key;

     location /
     {
         # lots of config here
         # which I really don't want to duplicate
     }
 }

I want to avoid duplicating server blocks since they will have exactly
the same location configurations below them
and I want to avoid using server_name since my server handles requests
from lots of different domain names
It would need to use SNI - only a single ip for all domains

maybe having the server name as part of the “ssl_certificate” line would
be quite elegant:

     ssl_certificate     www.example.com.cer server=www.example.com;
     ssl_certificate_key www.example.com.key server=www.example.com;

Thanks

Richard

2

On 5 November 2013 13:30, Richard K. [email protected] wrote:

    ssl_certificate_key www.example.com.key;
}

I want to avoid duplicating server blocks since they will have exactly the
same location configurations below them
and I want to avoid using server_name since my server handles requests from
lots of different domain names
It would need to use SNI - only a single ip for all domains

How are you intending to use SNI /without/ also providing multiple
server_names (either split across several server{}s or all inside one
server{})?

Please show a duplicated (i.e. operationally inefficient) config that
you wish to aggregate, as I don’t understand the result you’re aiming
for.

J

3

On 05/11/13 13:50, Jonathan M. wrote:

Please show a duplicated (i.e. operationally inefficient) config that
you wish to aggregate, as I don’t understand the result you’re aiming
for. J

something like this is the only way I see to do it currently:

http
{
server
{
listen 80;
listen 443 ssl;
server_name www.example.com

     ssl_certificate www.example.com.cer;
     ssl_certificate_key www.example.com.key;

     location /
     {
         # lots of config here
         # which I really don't want to duplicate
     }

     # and about 10 other locations!
 }

 server
 {
     listen 80;
     listen 443 ssl;
     server_name www.test.com

     ssl_certificate www.test.com.cer;
     ssl_certificate_key www.test.com.key;

     location /
     {
         # lots of config here
         # which I really don't want to duplicate
     }

     # and about 10 other locations!
 }

 server
 {
     listen 80;
     listen 443 ssl;
     server_name www.something.com

     ssl_certificate www.something.com.cer;
     ssl_certificate_key www.something.com.key;

     location /
     {
         # lots of config here
         # which I really don't want to duplicate
     }

     # and about 10 other locations!
 }

}

this could go on for 100’s of domains…

Cheers

Richard

4

On 05.11.2013 14:57, Richard K. wrote:

this could go on for 100’s of domains…

This sounds like you want to use include, i use it myself for general
settings, valid for any domain:

server {
    listen 443 ssl;
    include /etc/nginx/ssl-common.conf;
    ssl_certificate /etc/nginx/ssl/com.example.crt;

    server_name example.com;
    include /etc/nginx/common.conf;
}

With the contents of /etc/nginx/common.conf being:

location ~ /.ht {
    return 444;
}
add_header X-Frame-Options SAMEORIGIN;

Tim

5

On 05/11/13 16:27, Tim Dsterhus wrote:

This sounds like you want to use include, i use it myself for general
settings, valid for any domain:

fair point

would it work like this (an include in an include?)

http
{
include www.example.com.conf;
include www.test.com.conf;
include www.something.com.conf;
}

www.example.com.conf:

 server
 {
     listen 80;
     listen 443 ssl;
     server_name www.example.com;

     ssl_certificate www.example.com.cer;
     ssl_certificate_key www.example.com.key;

     include locations.conf;
 }

www.test.com.conf:

server
{
listen 80;
listen 443 ssl;
server_name www.test.com;

     ssl_certificate www.test.com.cer;
     ssl_certificate_key www.test.com.key;

     include locations.conf;
 }

www.something.com.conf:

 server
 {
     listen 80;
     listen 443 ssl;
     server_name www.something.com;

     ssl_certificate www.something.com.cer;
     ssl_certificate_key www.something.com.key;

     include locations.conf;
 }

locations.conf:

     location /
     {
         # lots of config here
         # which I really don't want to duplicate
     }

     # and about 10 other locations!
6

On 05.11.2013 17:51, Richard K. wrote:

would it work like this (an include in an include?)

Did you try it? :wink:

Yes it does work. Debian by default uses a folder
/etc/nginx/sites-enabled for all vHosts / domains. You can easily
include any file in there via:

include /etc/nginx/sites-enabled/*;

An excerpt of my /etc/nginx looks like this:

/etc/nginx/
±- common.conf
±- nginx.conf
±- passwd
| ±- munin.example.com
±- sites-available
| ±- _
| ±- example.com
| ±- localhost
| ±- munin.example.com
±- sites-enabled
| ±- _ → /etc/nginx/sites-available/_
| ±- example.com → /etc/nginx/sites-available/example.com
| ±- localhost → /etc/nginx/sites-available/localhost
| ±- munin.example.com → /etc/nginx/sites-available/munin.example.com
±- ssl
| ±- _
| ±- com.example.crt
| ±- com.example.munin.crt
±- ssl-common.conf

nginx.conf includes all the sites-enabled via the line above. The
sites-enabled include the respective common.conf / ssl-common.conf like
explained in my last mail.

Tim