Altering context for ssl_certificate?

upgrade.ambition · 2018-05-23T19:26:02+00:00

Hello! I am trying to create a router for internal testing. I am using openresty image RESTY_CONFIG_OPTIONS_MORE. As the messages we are sendi...

Altering context for ssl_certificate?

upgrade.ambition

The ssl_certificate directive from the http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate module - it has a server and an http context.

I have gone a little far while creating my config for autossl, multidomain (SAN) SSL within the same server { .... } block.

All of my config is under the same server block - for listen IP:80 and listen IP:443 too. Something like this :

=======================================================================================================

server {

listen IP:80;

listen IP:443;

server_name example.com www.example.com alias.com sub.example.com ;

ssl_certificate /path/to/cert/fullchain.pem;

ssl_certificate_key /path/tp/cert/privkey.pem;

if ( $scheme = \"http\" ) { return 301 https://$host$request_uri; }

}

=========================================================================================================

This works as long as I have a SAN cert. But, now, I want to add individual certs for each of the domains, aliases and subdomains above.

I need something like :

if ($host = "example.com") {

ssl_certificate /path/to/cert/examplecom.pem; ssl_certificate_key /path/tp/cert/examplecom.pem; if ( $scheme = \"http\" ) { return 301 https://$host$request_uri; }

}

if ($host = "alias.com") {

ssl_certificate /path/to/cert/aliascom.pem; ssl_certificate_key /path/tp/cert/aliascom.pem; if ( $scheme = \"http\" ) { return 301 https://$host$request_uri; }

}

But, the ssl_certificate directive does not have an if context. Hence, I am not able to write such a config.

I understand that I will have to anyways create a new server block per domain eventually.

But, is the above possible by tweaking something?

-Thank you!

nazneensunona

I suggest moving that logic to another lua file as described in https://github.com/openresty/lua-nginx-module/issues/627

Thanks

On Wednesday, May 23, 2018 at 4:26:02 AM UTC-7, Kamalkishor wrote:

The ssl_certificate directive from the http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate module - it has a server and an http context.

I have gone a little far while creating my config for autossl, multidomain (SAN) SSL within the same server { .... } block.

All of my config is under the same server block - for listen IP:80 and listen IP:443 too. Something like this :

=======================================================================================================
server {
listen IP:80;
listen IP:443;

server_name example.com www.example.com alias.com sub.example.com ;

ssl_certificate /path/to/cert/fullchain.pem;
ssl_certificate_key /path/tp/cert/privkey.pem;

  if ( $scheme = \"http\" ) { return 301 https://$host$request_uri; }

}

=========================================================================================================

This works as long as I have a SAN cert. But, now, I want to add individual certs for each of the domains, aliases and subdomains above.

I need something like :

if ($host = "example.com") {
ssl_certificate /path/to/cert/examplecom.pem; ssl_certificate_key /path/tp/cert/examplecom.pem;   if ( $scheme = \"http\" ) { return 301 https://$host$request_uri; }

}

if ($host = "alias.com") {
ssl_certificate /path/to/cert/aliascom.pem; ssl_certificate_key /path/tp/cert/aliascom.pem;   if ( $scheme = \"http\" ) { return 301 https://$host$request_uri; }

}

But, the ssl_certificate directive does not have an if context. Hence, I am not able to write such a config.

I understand that I will have to anyways create a new server block per domain eventually.

But, is the above possible by tweaking something?

-Thank you!

upgrade.ambition

Thank you for your reply!
I will try that.