Score:0

How can you go about handling 100s of domains with SSL without having a file per domain?

gd flag

Background

I currently run an ecommerce platform and at this moment in time when setting up a new domain the automated script runs. It starts by verifying the DNS records, generates an Nginx config file, then generates the SSL certificate using LetsEncrypt.

However this seems quite long-winded and not very efficient because if I need to make a change (like upgrading to a newer version of php) I then have to update every single file, as well, I have to reload Nginx every time a new domain is added, removed or changed.

The goal

Is there a way to do this more efficiently so that load balancing can be done much easier in the future?

When load balancing at the moment, I have to decide which websites to balance and each one requires a manual setup of each domain.

Score:0
za flag

You can leverage include directive in the Nginx.

Put all the common options into some file, and include that file where appropriate. For instance, on one reverse proxy the set of headers to add (X-Forwarded-For and the like) and the exclusion of ACME validation URI were the same on all proxied virtual hosts, so I put them into the common file and included that file into server directive where needed. If I were need to update (e.g. to add another header), I was just to update that single included file.

As for reloading Nginx, that's inevitable. When you change its configuration by any means, either adding files or editing existing files, you need to tell it to re-read the updated configuration, this is what reload basically does. It is graceful, also this is very common case (not just with Nginx). I don't understand why worry. It's just like the "apply" button. Ansible could do it for you (with handler).

Mathew Berry avatar
gd flag
In this scenario would you still require an SSL certificate to be generated per domain?
Nikita Kipriyanov avatar
za flag
There was never such a requirement and it is barely related to the organization of configuration files. You can create certificates that are valid for many domains, and even wildcard certificates, both using the include directive and not using it. In particular, you don't need all the domains in the certificate to be served with the same virtualhost. You were always able to share the same certificate for several virtual hosts (I did that even before Let's Encrypt appeared).
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.