1
0
angie-conv-image/doc/examples/ssl
2024-11-18 11:30:16 +03:00
..
demo-ca doc: SSL example 2024-09-20 03:10:13 +03:00
site doc: SSL example 2024-09-20 03:10:13 +03:00
static doc: SSL example 2024-09-20 03:10:13 +03:00
tls doc: SSL example 2024-09-20 03:10:13 +03:00
docker-compose.yml bump version to 0.0.7 2024-11-18 11:30:16 +03:00
Dockerfile bump version to 0.0.7 2024-11-18 11:30:16 +03:00
README.md doc: update examples 2024-11-08 14:19:36 +03:00

SSL with subdomains

consult Dockerfile or docker-compose.yml - both are simple and fine enough.


configuration:

server {
    listen 8443 ssl;

    server_name www.example.org;

    ssl_certificate      tls.d/www.example.org.chain.crt;
    ssl_certificate_key  tls.d/www.example.org.pem;

    root static.d/www.example.org;
}

configuration for wildcard certificate:

server {
    listen 8443 ssl;

    server_name .example.org;

    ssl_certificate      tls.d/example.org.chain.crt;
    ssl_certificate_key  tls.d/example.org.pem;

    root static.d/example.org;
}

Note: certificate must have X509v3 Subject Alternative Name property with value like DNS:example.org, DNS:*.example.org .


(optional) configuration for cut-off SSL server block (see documentation for rationale):

server {
    listen 8443 ssl default_server bind deferred;

    server_name _;

    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

    ## reject connections early
    ssl_reject_handshake on;
}

Test URI e.g. with curl:

curl --cacert ./tls/ca/root-ca.crt --capath /nonexistent --resolve example.org:8443:127.0.0.1 https://example.org:8443/

curl --cacert ./tls/ca/root-ca.crt --capath /nonexistent --resolve www.example.org:8443:127.0.0.1 https://www.example.org:8443/

curl --cacert ./tls/ca/root-ca.crt --capath /nonexistent --resolve test.example.org:8443:127.0.0.1 https://test.example.org:8443/