# SSL with subdomains

Dockerfile:

```dockerfile
FROM docker.io/rockdrilla/angie-conv:v0.0.1

COPY /site/   /etc/angie/site/
COPY /static/ /etc/angie/static/
COPY /tls/    /etc/angie/tls/

ENV NGX_HTTP_CONFLOAD='ssl'
```

---

configuration:

```nginx
server {
    listen 8443 ssl;

    server_name www.example.org;

    ssl_certificate      tls.d/www.example.org.chain.crt;
    ssl_certificate_key  tls.d/www.example.org.pem;

    root static.d/www.example.org;
}
```

---

configuration for wildcard certificate:

```nginx
server {
    listen 8443 ssl;

    server_name .example.org;

    ssl_certificate      tls.d/example.org.chain.crt;
    ssl_certificate_key  tls.d/example.org.pem;

    root static.d/example.org;
}
```

*Note: certificate must have* `X509v3 Subject Alternative Name` *property with value like* `DNS:example.org, DNS:*.example.org` .

---

(optional) configuration for cut-off SSL server block (see [documentation](https://angie.software/en/configuration/modules/http/http_ssl/#ssl-reject-handshake) for rationale):

```nginx
server {
    listen 8443 ssl default_server bind deferred;

    server_name _;

    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

    ## reject connections early
    ssl_reject_handshake on;
}
```

---

Test URI e.g. with `curl`:
```sh
curl --cacert ./tls/ca/root-ca.crt --capath /nonexistent --resolve example.org:8443:127.0.0.1 https://example.org:8443/

curl --cacert ./tls/ca/root-ca.crt --capath /nonexistent --resolve www.example.org:8443:127.0.0.1 https://www.example.org:8443/

curl --cacert ./tls/ca/root-ca.crt --capath /nonexistent --resolve test.example.org:8443:127.0.0.1 https://test.example.org:8443/
```