{"id":144,"date":"2019-11-21T10:06:41","date_gmt":"2019-11-21T09:06:41","guid":{"rendered":"http:\/\/blog.remyblom.nl\/?p=144"},"modified":"2020-11-17T10:20:57","modified_gmt":"2020-11-17T09:20:57","slug":"dynamic-vhosts-with-https-on-nginx","status":"publish","type":"post","link":"https:\/\/blog.remyblom.nl\/?p=144","title":{"rendered":"Dynamic vhosts with https on nginx"},"content":{"rendered":"\n<p>In earlier articles I described <a href=\"https:\/\/blog.remyblom.nl\/?p=115\">how to setup vhosts with https in OpenBSD&#8217;s httpd<\/a>, but in the end I got stuck because httpd did not have the flexibility I need in my webserver, so <a href=\"https:\/\/blog.remyblom.nl\/?p=141\">the switch back to nginx <\/a>was eminent. Now let&#8217;s get that dynamic vhosting running with fully automated certificate renewal from Let&#8217;s Encypt!<\/p>\n\n\n\n<p>First we setup a server at port 80 that serves the acme-challenge and sends everything else to https:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>server {\n\tlisten 80 default_server;\n\tlisten &#91;::]:80 default_server;\n\tserver_name _;\n\t\n\t# the acme-challenge\n\tlocation \/.well-known\/acme-challenge {\n\t\trewrite ^\/.well-known\/acme-challenge\/(.*) \/$1 break;\n\t\troot \/acme;\n\t}\n\n\t# redirect everybody else to https\n\tlocation \/ {\n\t\treturn 301 https:\/\/$host$request_uri;\n\n\t}\n}<\/code><\/pre>\n\n\n\n<p>Since OpenBSD&#8217;s nginx port does not allow the use of variables in the <code>ssl_cerificate<\/code> and <code>ssl_certificate_key<\/code> directives. I configured <code>acme-client<\/code> with only one certificate with a whole long list of alternative names. Kinda ugly, I know&#8230;<\/p>\n\n\n\n<p>Activate this server and run:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ doas acme-client -Fv example.com<\/code><\/pre>\n\n\n\n<p>When you have your certificate you can add it to the server configuration:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>server {\n\tlisten 443 ssl default_server;\n\tlisten &#91;::]:443 ssl default_server;\n        server_name $host;\n\tset $basepath \"\/vhosts\";\n\tssl_certificate     \/etc\/ssl\/example.com.fullchain.crt;\n\tssl_certificate_key \/etc\/ssl\/private\/example.com.key;\n   \n\tif ($host ~ \"^(.&#91;^.]*)\\.(.&#91;^.]*)$\") {\n\t\tset $rootpath \"$1.$2\/www\/\";\n\t}\n\tif ($host ~ \"^(.&#91;^.]*)\\.(.&#91;^.]*)\\.(.&#91;^.]*)$\") {\n\t        set $rootpath \"$2.$3\/$1\/\";\n\t}\n\n\troot $basepath\/$rootpath;\n\n\tlocation \/ {\n\t\t# First attempt to serve request as file, then\n\t\t# as directory, then fall back to displaying a 404.\n\t\ttry_files $uri $uri\/ =404;\n\t}\n\n\tinclude common.conf;\n}<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>$ doas rcctl reload nginx<\/code><\/pre>\n\n\n\n<p>And enjoy your dynamic vhosts with https. The only thing you need to do everytime you&#8217;ll add a (sub)domain is add it to <code>\/etc\/acme-client.conf<\/code> and renew your certificate.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In earlier articles I described how to setup vhosts with https in OpenBSD&#8217;s httpd, but in the end I got stuck because httpd did not have the flexibility I need in my webserver, so the switch back to nginx was eminent. Now let&#8217;s get that dynamic vhosting running with fully automated certificate renewal from Let&#8217;s &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/blog.remyblom.nl\/?p=144\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Dynamic vhosts with https on nginx&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10,2],"tags":[],"class_list":["post-144","post","type-post","status-publish","format-standard","hentry","category-lemp","category-vps"],"_links":{"self":[{"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=\/wp\/v2\/posts\/144","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=144"}],"version-history":[{"count":2,"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=\/wp\/v2\/posts\/144\/revisions"}],"predecessor-version":[{"id":159,"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=\/wp\/v2\/posts\/144\/revisions\/159"}],"wp:attachment":[{"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=144"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=144"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=144"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}