78 lines
1.6 KiB
Markdown
78 lines
1.6 KiB
Markdown
# SSL with subdomains
|
|
|
|
Dockerfile:
|
|
|
|
```dockerfile
|
|
FROM docker.io/rockdrilla/angie-conv:v0.0.1
|
|
|
|
COPY /site/ /etc/angie/site/
|
|
COPY /static/ /etc/angie/static/
|
|
COPY /tls/ /etc/angie/tls/
|
|
|
|
ENV NGX_HTTP_CONFLOAD='ssl'
|
|
```
|
|
|
|
---
|
|
|
|
configuration:
|
|
|
|
```nginx
|
|
server {
|
|
listen 8443 ssl;
|
|
|
|
server_name www.example.org;
|
|
|
|
ssl_certificate tls.d/www.example.org.chain.crt;
|
|
ssl_certificate_key tls.d/www.example.org.pem;
|
|
|
|
root static.d/www.example.org;
|
|
}
|
|
```
|
|
|
|
---
|
|
|
|
configuration for wildcard certificate:
|
|
|
|
```nginx
|
|
server {
|
|
listen 8443 ssl;
|
|
|
|
server_name .example.org;
|
|
|
|
ssl_certificate tls.d/example.org.chain.crt;
|
|
ssl_certificate_key tls.d/example.org.pem;
|
|
|
|
root static.d/example.org;
|
|
}
|
|
```
|
|
|
|
*Note: certificate must have* `X509v3 Subject Alternative Name` *property with value like* `DNS:example.org, DNS:*.example.org` .
|
|
|
|
---
|
|
|
|
(optional) configuration for cut-off SSL server block (see [documentation](https://angie.software/en/configuration/modules/http/http_ssl/#ssl-reject-handshake) for rationale):
|
|
|
|
```nginx
|
|
server {
|
|
listen 8443 ssl default_server bind deferred;
|
|
|
|
server_name _;
|
|
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
|
|
|
## reject connections early
|
|
ssl_reject_handshake on;
|
|
}
|
|
```
|
|
|
|
---
|
|
|
|
Test URI e.g. with `curl`:
|
|
```sh
|
|
curl --cacert ./tls/ca/root-ca.crt --capath /nonexistent --resolve example.org:8443:127.0.0.1 https://example.org:8443/
|
|
|
|
curl --cacert ./tls/ca/root-ca.crt --capath /nonexistent --resolve www.example.org:8443:127.0.0.1 https://www.example.org:8443/
|
|
|
|
curl --cacert ./tls/ca/root-ca.crt --capath /nonexistent --resolve test.example.org:8443:127.0.0.1 https://test.example.org:8443/
|
|
```
|