我正在从 apache2 迁移到 nginx conf,并且我正在尝试使用 certbot(让我们加密)来处理我的多个 SPA 上的 https。
当我想添加另一个 SPA 时,我也试图简化我的工作流程,这就是为什么我在同一个文件中完成所有操作并使用一些变量(这可能是 certbot 的问题?)。
假设我拥有
domain.frsubdomain1subdomain2subdomain3这是我目前拥有的,但我不知道如何“列出”服务器名称以供 certbot 检测它们(在执行
sudo certbot --nginx#################################
### Variables definitions ###
#################################
# Extract subdomain from 'www.subdomain.domain.fr' OR 'subdomain.domain.fr'
map $host $subdomain {
default hub;
~^www\.(.*)\.domain\.fr$ $1;
~^(.*)\.domain\.fr$ $1;
}
# Detect which app to redirect to which web socket port :
map $subdomain $websocket_port {
default 3001;
subdomain1 5551;
subdomain5 5555;
subdomain6 5556;
subdomain7 5557;
subdomain9 5559;
}
# Static path to builds to serve
map $subdomain $static_path {
default /var/www/html/hub;
subdomain1 /var/www/html/subdomain1/path;
subdomain2 /var/www/html/subdomain2/path;
subdomain3 /var/www/html/subdomain3/path;
subdomain4 /var/www/html/subdomain4/path;
subdomain5 /var/www/html/subdomain5/path;
subdomain6 /var/www/html/subdomain6/path;
subdomain7 /var/www/html/subdomain7/path;
subdomain8 /var/www/html/subdomain8/path;
subdomain9 /var/www/html/subdomain9/path;
subdomain10 /var/www/html/subdomain10/path;
}
##########################################
##### Conf server from variables #####
##########################################
server {
listen 80;
#listen 443 ssl http2; #<-- I want to activate this with certbot !
server_name $subdomain.domain.fr www.$subdomain.domain.fr;
# Redirect HTTP --> HTTPS:
if ($scheme = http) {
return 301 https://$host$request_uri;
}
# Serve static files
root $static_path;
index index.html;
location / {
# Redirect file query to the index
# SPA --> front rooting
try_files $uri $uri/ /index.html;
}
# Redirect socket.io calls to the right pm2 demon
location ~* \.io {
proxy_pass http://localhost:$websocket_port;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-NginX-Proxy false;
proxy_redirect off;
}
# Logs
error_log /var/log/nginx/${subdomain}_error.log warn;
access_log /var/log/nginx/${subdomain}_access.log combined;
}
对于任何路过的人......我发现了通配符证书。设置起来“更难”,因为它使用 DNS-01 挑战,但让我们加密有各种插件来帮助您(我与 ovh 合作)
但它像手套一样适合我的需求。
只需使用 certbot 生成通配符证书即可:
sudo certbot certonly --dns-ovh --dns-ovh-credentials /etc/letsencrypt/ovh.ini -d *.domain.fr
ovh.ini 是您的 OVH API 密钥
dns_ovh_endpoint = ovh-<region>
dns_ovh_application_key = APPLICATION_KEY
dns_ovh_application_secret = APPLICATION_SECRET
dns_ovh_consumer_key = CONSUMER_KEY
这是配置:
server {
listen 80; # mandatory for http to https redirect
listen 443 ssl http2;
server_name *.domain.fr;
# Redirect www.*.domain.fr to *.domain.fr
if ($host ~* ^www\.(.*)\.domain\.fr$) {
return 301 https://$1.domain.fr$request_uri;
}
# Redirect HTTP --> HTTPS:
if ($scheme = http) {
return 301 https://$host$request_uri;
}
# Wildcard certificate (*.domain.fr)
ssl_certificate /etc/letsencrypt/live/domain.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.fr/privkey.pem;
root $static_path;
index index.html;
location / {
try_files $uri $uri/ /index.html;
}
}