How can you go about handling 100s of domains with SSL without having a file per domain?

Mathew Berry

11/3/23, 1:19 PM

Background

I currently run an ecommerce platform and at this moment in time when setting up a new domain the automated script runs. It starts by verifying the DNS records, generates an Nginx config file, then generates the SSL certificate using LetsEncrypt.

However this seems quite long-winded and not very efficient because if I need to make a change (like upgrading to a newer version of php) I then have to update every single file, as well, I have to reload Nginx every time a new domain is added, removed or changed.

The goal

Is there a way to do this more efficiently so that load balancing can be done much easier in the future?

When load balancing at the moment, I have to decide which websites to balance and each one requires a manual setup of each domain.

1 + 0

ssl

nginx

load-balancing

Score:0

Server

Nikita Kipriyanov

11/3/23, 1:35 PM

You can leverage include directive in the Nginx.

Put all the common options into some file, and include that file where appropriate. For instance, on one reverse proxy the set of headers to add (X-Forwarded-For and the like) and the exclusion of ACME validation URI were the same on all proxied virtual hosts, so I put them into the common file and included that file into server directive where needed. If I were need to update (e.g. to add another header), I was just to update that single included file.

As for reloading Nginx, that's inevitable. When you change its configuration by any means, either adding files or editing existing files, you need to tell it to re-read the updated configuration, this is what reload basically does. It is graceful, also this is very common case (not just with Nginx). I don't understand why worry. It's just like the "apply" button. Ansible could do it for you (with handler).

+ 2

Mathew Berry

11/3/23, 1:56 PM

In this scenario would you still require an SSL certificate to be generated per domain?

Nikita Kipriyanov

11/3/23, 2:50 PM

There was never such a requirement and it is barely related to the organization of configuration files. You can create certificates that are valid for many domains, and even wildcard certificates, both using the include directive and not using it. In particular, you don't need all the domains in the certificate to be served with the same virtualhost. You were always able to share the same certificate for several virtual hosts (I did that even before Let's Encrypt appeared).

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How can you go about handling 100s of domains with SSL without having a file per domain?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.