SSL Proxy for Multi Tenant Sites on AWS

directions.sh

ssh -i your_key.pem ec2-user@YOUR_EC2_IP

sudo yum-config-manager --add-repo https://openresty.org/package/amazon/openresty.repo
sudo yum install openresty
sudo yum install openresty-resty

# if https://openresty.org/package/amazon/2/x86_64/repodata/repomd.xml: \[Errno 14\] HTTPS Error 404 - Not Found

# sudo vim /etc/yum.repos.d/openresty.repo 
# exchange the $releasever placeholder of the baseurl to “latest” baseurl=https://openresty.org/package/amazon/latest/$basearch.

wget http://luarocks.org/releases/luarocks-2.0.13.tar.gz
tar -xzvf luarocks-2.0.13.tar.gz
cd luarocks-2.0.13/
./configure --prefix=/usr/local/openresty/luajit \
    --with-lua=/usr/local/openresty/luajit/ \
    --lua-suffix=jit \
    --with-lua-include=/usr/local/openresty/luajit/include/luajit-2.1
make
sudo make install

sudo yum install gcc

sudo groupadd www
sudo usermod -a -G www ec2-user

sudo /usr/local/openresty/luajit/bin/luarocks install lua-resty-auto-ssl
sudo mkdir /etc/resty-auto-ssl
sudo chown -R root:www /etc/resty-auto-ssl/
sudo chmod -R 775 /etc/resty-auto-ssl

sudo openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
  -subj '/CN=sni-support-required-for-valid-ssl' \
  -keyout /etc/ssl/resty-auto-ssl-fallback.key \
  -out /etc/ssl/resty-auto-ssl-fallback.crt
  
sudo mv /usr/local/openresty/nginx/conf/nginx.conf /usr/local/openresty/nginx/conf/nginx.backup.conf
sudo vim /usr/local/openresty/nginx/conf/nginx.conf

sudo service openresty start

# Tail Errors 
tail -F /usr/local/openresty/nginx/logs/error.log

nginx.conf

user ec2-user www;
worker_processes auto;
pid /run/openresty.pid;

events {
  worker_connections 1024;
}

http {
  lua_shared_dict auto_ssl 1m;
  lua_shared_dict auto_ssl_settings 64k;
  resolver 8.8.8.8 ipv6=off;

  init_by_lua_block {
    auto_ssl = (require "resty.auto-ssl").new()
    auto_ssl:set("allow_domain", function(domain)
      return true
    end)
    auto_ssl:init()
  }

  init_worker_by_lua_block {
    auto_ssl:init_worker()
  }

  server {
    listen 443 ssl;
    ssl_certificate_by_lua_block {
      auto_ssl:ssl_certificate()
    }
    ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
    ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;

    set $pipe_proxy "dns.pipemusic.co";

    location / {
      proxy_set_header        Host $pipe_proxy;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;
      proxy_set_header        X-Forwarded-Server $host;

      proxy_cookie_domain     $pipe_proxy $host;
      proxy_ssl_server_name   on;
      proxy_ssl_name          $pipe_proxy;
      proxy_ssl_protocols     TLSv1.2;
      proxy_pass              https://$pipe_proxy;
      proxy_read_timeout      90;
    }
  }

  server {
    listen 80;
    location /.well-known/acme-challenge/ {
      content_by_lua_block {
        auto_ssl:challenge_server()
      }
    }
    location / {
      return 301 https://$host$request_uri;
    }
  }

  server {
    listen 127.0.0.1:8999;
    client_body_buffer_size 128k;
    client_max_body_size 128k;

    location / {
      content_by_lua_block {
        auto_ssl:hook_server()
      }
    }
  }
}