Running multiple domains and subdomains on Nginx with https (SSL)

Question

I have an Nginx install that needs to run on SSL. My server blocks are as follows for this domain, which force the example.com and www.example.com to be routed to https://example.com.

    server {
        listen 9.9.9.9:80;
        server_name example.com;
        return 301 https://$host$request_uri;
    }

    server { listen 443 ssl http2; server_name www.example.com; return   301   $scheme://example.com$request_uri; }

    server {
        ## SSL settings
        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 default_server;

        server_name   example.com;
        root /home/example;

        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

        include common.conf;
        include ssl.conf;
    }

This essentially works. The Lets Encrypt stuff is installed properly. However, I also have some subdomains that are CNAMEs to Cloudfront. So these are like cdn.example.com. How can I ensure that they too work, and don't reroute to the https://example.com?

In Cloudfront, the default Cloudfront certificate is enabled for these CNAMEs:

SSL Certificate - Default CloudFront Certificate (*.cloudfront.net)

Is this an issue?

The problem is that when I visit this site, https://example.com, the whole content loads but the images, CSS and JS files (loaded through cdn.example.com Cloudfront cname) are NOT loading. Chrome shows a red "unsafe" in the location bar for these assets, and a big error message as this: https://i.stack.imgur.com/cua6p.jpg

What's the correct way to include my own CNAME CDN paths along with the domain? Thank you for any pointers.

Answer 1

Lets start with some assumption:

• your dns zone file looks something like this:

  $ORIGIN example.com
          IN    A     9.9.9.9
  www     IN    A     9.9.9.9
  cdn     IN    CNAME some-subdomain-at.cloudfront.net.
  

In this case your webserver (9.9.9.9) should never see any request that belongs to cdn.example.com.

Why?

• when loading example.com a webbrowser would get the IP 9.9.9.9 from DNS systems and send requests there.
• when accessing example file https://cdn.example.com/default.css the browser would ask for the IPv4/IPv6 (A / AAAA) address of cdn.example.com, get none and try CNAME which will get it some-subdomain-at.cloudfront.net. as an answer. Now the browser will try to get the IP address of some-subdomain-at.cloudfront.net. and start communication with this address as if it where an A record for cdn.example.com.