Nginx設置多個域與單個ssl證書到相同的上游

Question

所以我有多個域的多個讓我們加密ssl證書（每域一個）所有指向相同的應用程序（上游）。目前我正在使用下面的代碼。然而，這是相當多的代碼，特別是如果我不得不爲每個域複製它。所以我想知道是否有一種方法來組合它，這樣我的代碼只有一次，這會使維護起來更容易。

https://www.any-domain-here的重定向以及最後一個主要的服務器塊都是有問題的，因爲兩者都需要ssl證書，我需要爲所有不同的域包含這些證書。那麼有沒有辦法做到這一點，而不復制這些代碼塊？

############################ 
# 
# Upstream 
# 
upstream upstream { 
    least_conn; 
    server app:8080; 
} 
upstream blog.upstream { 
    least_conn; 
    server app_nginx; 
} 
############################ 
# 
# redirect all 80 to 443 
# and allow Let's Encrypt 
# 
server { 
    server_name ~.; 
    listen 80; 
    listen [::]:80; 
    # config for .well-known 
    include /etc/nginx/includes/letsencrypt.conf; 

    location/{ 
     return   301 https://$host$uri; 
    } 
} 
############################ 
# 
# Redirect all www to non-www 
# 
server { 
    server_name "~^www\.(.*)$" ; 
    return 301 https://$1$request_uri ; 
    ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem; 
    ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem; 
} 
########################## 
# HTTPS 
server { 
    listen 443 ssl http2; 
    listen [::]:443 ssl http2; 

    server_name domain.com; 

    location /blog/ { 
     proxy_set_header Host $host; 
     proxy_pass http://blog.upstream; 
    } 

    ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; 
    ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; 
    # access_log 
    access_log   /var/log/nginx/access.log; 
    # proxy_pass config 
    location/{ 
     # include proxy presets 
     include /etc/nginx/includes/proxy.conf; 
     proxy_pass    http://domain.com$uri; 
    } 
    # general ssl parameters 
    include /etc/nginx/includes/ssl-params-with-preload.conf; 

    root   /var/www/html; 
} 

Answer 1

我通過創建相當多的包含文件解決了這個問題。

我有以下default.conf現在：

# don't redirect proxy 
proxy_redirect off; 
# turn off global logging 
access_log off; 
# DON'T enable gzip as it opens up vulnerabilities 
# logging format 
log_format compression '$remote_addr - $remote_user [$time_local] ' 
         '"$request" $status $bytes_sent ' 
         '"$http_referer" "$http_user_agent" "$gzip_ratio"'; 
############################ 
# 
# redirect all 80 to 443 
# and allow Let's Encrypt 
# 
server { 
    listen 80; 
    listen [::]:80; 
    server_name ~. ; 

    location /.well-known/acme-challenge { 
    root /var/www/html; 
    default_type text/plain; 
    # allow all; 
    } 

    location/{ 
    return 301 https://$host$uri; 
    } 
} 
# include website configs 
include /etc/nginx/includes/nginx-server.conf; 

我nginx-server.conf有以下內容：

############################ 
# 
# Upstream 
# 
upstream veare_upstream { 
    server veare:8080; 
} 
############################ 
# 
# redirect all 80 to 443 
# and allow Let's Encrypt 
# 
server { 
    server_name www.veare.de; 
    listen 80; 
    listen [::]:80; 

    root /var/www/html; 

    location /.well-known/acme-challenge { 
     default_type text/plain; 
    } 

    location/{ 
     return   301 https://$host$uri; 
    } 
} 
############################ 
# 
# Redirect all www to non-www 
# 
server { 
    listen 80; 
    listen [::]:80; 
    server_name "~^www\.(.*)$" ; 
    return 301 https://$1$request_uri; 
} 
########################## 
# HTTPS 
include /etc/nginx/includes/domains/*.conf; 

最後一行包括我所有的域文件，例如一個爲veare.de.conf他們都命名酷似域：

############################ 
# 
# Redirect all www to non-www 
# 
# 
server { 
    listen 443 ssl http2; 
    listen [::]:443 ssl http2; 
    server_name www.veare.de; 
    ssl_certificate /etc/letsencrypt/live/www.veare.de/fullchain.pem; 
    ssl_certificate_key /etc/letsencrypt/live/www.veare.de/privkey.pem; 
    return 301 https://veare.de$request_uri; 
} 
########################## 
# HTTPS 
server { 
    server_name veare.de; 
    ssl_certificate /etc/letsencrypt/live/veare.de/fullchain.pem; 
    ssl_certificate_key /etc/letsencrypt/live/veare.de/privkey.pem; 

    location ^~ /.well-known/acme-challenge { 
     allow all; 
     # Set correct content type. According to this: 
     # https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29 
     # Current specification requires "text/plain" or no content header at all. 
     # It seems that "text/plain" is a safe option. 
     default_type "text/plain"; 
     root /var/www/html; 
    } 

    include /etc/nginx/includes/main-server.conf; 
} 

這完全適用於我。