I manage a dozen or so domains with SSL certs that I have generated via lets-encrypt, and I use nginx to manage the web services for these domains.
It turns out that all of these domains need to have the same nginx configuration: i.e., the same location blocks, the same root, the same site parameters, etc.
The only thing which differs for each domain are the settings for ssl_certificate, ssl_certificate_key, and ssl_trusted_certificate.
The way I have handled this is to have a dozen or so server {} blocks within my nginx configuration, each of them containing almost the same data, except for those three SSL parameters.
For example ...
server {
error_log /var/log/nginx/error.log debug;
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl http2;
server_name example-domain0.com;
ssl_certificate /etc/letsencrypt/live/example-domain0.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example-domain0.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example-domain0.com/chain.pem;
ssl_session_cache shared:SSL:128m;
add_header Strict-Transport-Security "max-age=31557600; includeSubDomains";
ssl_stapling on;
ssl_stapling_verify on;
root /usr/share/nginx/html;
index index.php index.html index.htm;
if ($scheme != "https") {
return 301 https://$host$request_uri;
}
location / {
try_files $uri $uri/ =404;
}
location ~ \.json {
add_header Content-Type text/plain;
}
location ~ ^/(t)($|/.*) {
alias $1$2;
include uwsgi_params;
uwsgi_pass unix:/var/run/uwsgi/flask/$1.sock;
}
location ~ ^/(css|static|hm|cy|img|sq|rc|rl|oc|m|js)($|/.*) {
root /usr/share/nginx;
}
location ~ ^/(junk)($|/.*) {
root /usr/share/nginx/html;
allow all;
autoindex on;
}
location ~ \.php$ {
include phpsite_params;
}
}
server {
error_log /var/log/nginx/error.log debug;
listen 80;
listen [::]:80;
listen 443 ssl http2;
server_name example-domain1.com;
ssl_certificate /etc/letsencrypt/live/example-domain1.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example-domain1.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example-domain01.com/chain.pem;
ssl_session_cache shared:SSL:128m;
add_header Strict-Transport-Security "max-age=31557600; includeSubDomains";
ssl_stapling on;
ssl_stapling_verify on;
root /usr/share/nginx/html;
index index.php index.html index.htm;
if ($scheme != "https") {
return 301 https://$host$request_uri;
}
location / {
try_files $uri $uri/ =404;
}
location ~ \.json {
add_header Content-Type text/plain;
}
location ~ ^/(t)($|/.*) {
alias $1$2;
include uwsgi_params;
uwsgi_pass unix:/var/run/uwsgi/flask/$1.sock;
}
location ~ ^/(css|static|hm|cy|img|sq|rc|rl|oc|m|js)($|/.*) {
root /usr/share/nginx;
}
location ~ ^/(junk)($|/.*) {
root /usr/share/nginx/html;
allow all;
autoindex on;
}
location ~ \.php$ {
include phpsite_params;
}
}
... and then a dozen or so blocks for example-domain2.com, example-domain3.com, etc. which are identical except for the domain names and the values of those SSL parameters.
This causes lots of problems if I ever want to make site configuration changes, because then I have to make identical changes in more than a dozen places within this configuration file, and sometimes that leads to errors.
Since each SSL domain requires its own ssl_certificate, ssl_certificate_key, and ssl_trusted_certificate, I'd like to create smaller server {} blocks with only that SSL configuration info, and then factor out the other, common configuration information and only keep it in one place.
Is that possible?
Thank you very much in advance.
