Welcome! Log In Create A New Profile

Advanced

Handing 15,000+ SSL certs and nginx configuration

Posted by alican 
Handing 15,000+ SSL certs and nginx configuration
October 21, 2016 05:51PM
Hello All,

I am running an application that has about 200,000 subdomains and 15,000 custom domains. Each subdomain belongs to a customer and they have an ability to white label my platform by using their own ‘custom domains'

I currently have only 1 nginx configuration file to serve all of these domains. I make use of $http_name variable to dynamically define my websites within single nginx virtual host config but I’d like to implement SSL certificate on all of them.

200,000 subdomains are easy because I can get away with couple of lines of code with a wildcard certificate.

My problem is custom domains. These 15,000 unique domains requires SSL cert and I implemented Let’s encrypt to generate certificate for all of them. It works properly so far.

Here is my question:

My understanding is that I cannot use variables in file paths. Therefore, to be able to point 15k domain to proper SSL cert, I need to create 15,000 nginx configuration. It’s going to be very hard to manage. What can I do to overcome this problem? Is there any other easy way?



Edited 1 time(s). Last edit at 10/21/2016 05:52PM by alican.
Re: Handing 15,000+ SSL certs and nginx configuration
October 22, 2016 04:03AM
Ideas:
https://www.google.nl/#q=nginx+dynamic+loading+certificate

Just one example:
http://www.greg-gilbert.com/2015/08/serve-dynamic-ssl-certificates-in-nginx/

---
nginx for Windows http://nginx-win.ecsds.eu/
Re: Handing 15,000+ SSL certs and nginx configuration
October 28, 2016 03:28PM
Thanks for the guidance itpp2012

What is your recommendation for terminating 15,000+ SSL certificates?

Nginx takes 2 minutes to reload that many certificate (under 0 load) and because our domains can change at any time, we need to issue nginx reload very frequently.
Also, terminating 2048 bit certs will have some overhead as well...
Re: Handing 15,000+ SSL certs and nginx configuration
October 28, 2016 05:40PM
Your best bet is to go for Lua, reloading nginx conf is an option but can lead to problems when done too many times.

---
nginx for Windows http://nginx-win.ecsds.eu/
Re: Handing 15,000+ SSL certs and nginx configuration
November 01, 2016 07:02PM
Thank you for your help itpp2012! I am going to closely investigate Lua.

Would you please speak more about running nginx reloads too frequently? What would happen if I do that? I thought it was the safest option to re-load certificates without any downtime.
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 147
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready