- Host multiple sites on a single server
- Use Let's Encrypt and force SSL on all subdomains
- Create an area for Let's Encrypt's ACME verification, but restrict this to specific host headers
- This is so we can auto-renew certs but prevent my server from responding to someone else's bogus enrollment request if they point DNS at my server and it responds to the validation
- Create an https
default_serverfallback, so my sites are isolated if tou type the ipv6only - Top security practices, with an A+ rating on SSLLabs.com scan
This readme will not walk through command by command how to configure nginx or Let's Encrypt, but is aimed at providing general steps and proper config files.
WARNING: THIS IS INCOMPLETE
We need a temporary configuration so that Let's Encrypt can make a verification request via http first, since SSL is not yet set up. I am going to set up https on the default site where unrouted requests that do not match a specific host header will go.
IN PROGRESS
Once the initial SSL cert is configured, it's time to set up the rest of the sites on server and redirect all http to https
In /etc/nginx/conf.d/default.conf:
[TODO]: Remove http (the redirect will cover it since it's no longer needed for ACME verification)
In /etc/nginx/conf.d/http-redirect.conf:
## Redirect http to https
server{
listen 80;
listen [::]:80 ipv6only=on;
server_name mydomain.com;
location / {
return 301 https://$host$request_uri;
}
}
In mysite.example.com.conf (repeat this config for multiple sites):
[TODO]: add config
- Let's Encrypt Configuration Gist by cecilemuller