Welcome! Log In Create A New Profile

Advanced

Re: I'm about to embark on creating 12000 vhosts

February 12, 2019 05:08AM
And having looked at this further we would have to append the key to the end of the certificate bundle after it was issued from LE as an extra step in the processing so that this could work.

This still seems to be the best way forward, even if it requires an extra step in this case.

Kind regards,
Richard

On Tue, 2019-02-12 at 09:56 +0000, Richard Paul wrote:
Hi Lucas,

Well that looks great. I've not looked at HAproxy too much, as I've not used it before other than during a switch over just prior to Christmas last year where rinetd couldn't cope with the incoming traffic load and we had to cobble together a quick HAProxy layer 4 configuration to redirect traffic from AWS to GCP.

I'll start digging into this a bit more as this looks like a better solution and I can maybe just use LE's webroot plugin without having to generate and sync Nginx configuration as well as the certs over to the TLS terminator instances.

Kind regards,
Richard

On Tue, 2019-02-12 at 09:32 +0000, Lucas Rolff wrote:
In haproxy, you simply specify a path where you have all your certificates.

frontend https_frontend
bind *:443 ssl crt /etc/haproxy/certs/default-cert.pem crt /etc/haproxy/certs alpn h2,http/1.1

This way, haproxy will read all certs, and when stuff comes in, it uses the host header to determine which certificate it should serve.

There was a thread on the haproxy mailing list not long ago, with managing more than 100k certificates per haproxy instance, and they’re working on further optimizations with those kinds of deployments (if it’s not already done.. haven’t checked to be honest).

Best Regards,

From: nginx <nginx-bounces@nginx.org> on behalf of Richard Paul <Richard@primarysite.net>
Reply-To: "nginx@nginx.org" <nginx@nginx.org>
Date: Tuesday, 12 February 2019 at 10.04
To: "nginx@nginx.org" <nginx@nginx.org>
Subject: Re: I'm about to embark on creating 12000 vhosts

Hi Jeff

That's interesting, how do you manage the progamming to load the right certificate for the right domain coming in as the server name? We need to load the right certificate for the incoming domain and the 12000 figure is the number of unique vanity domains without the www. subdomains.

We're planning to follow the same path as you though, we're essentially putting these Nginx TLS terminators (fronted by GCP load balancers) in front of our existing Varnish caching and Nginx backend infrastructure which currently only listen on port 80.

I couldn't work out what the limits are at LE as it's not clear with regards to adding new unique domains limits. I'm going to have to ask in the forums at some point so that I can work out what our daily batches are going to be.

Kind regards,
Richard

On Mon, 2019-02-11 at 14:33 -0500, Jeff Dyke wrote:
I use haproxy in a similar way as stated by Rainer, rather than having hundreds and hundreds of config files (yes there are other ways), i have 1 for haproxy and 2(on multiple machines defined in HAProxy). One for my main domain that listens to an "real" server_name and another that listens to `server_name _;` All of the nginx servers simply listen on 80 and 81 to handle non H2 clients and the application does the correct thing with the domain. Which is where YMMV as all applications differ.

I found this much simpler and easier to maintain over time. I got around the LE limits by a staggered migration, so i was only requesting what was in the limit each day, then have a custom script that calls LE (which is also on the same machine as HAProxy) when certs are about 10 days out, so the staggering stays within the limits. When i was using custom configuration, i was build them via python using a yaml file and nginx would effectively be a jinja2 template. But even that became onerous. When going down the nginx path ensure you pay attention to the variables that control domain hash sizes. http://nginx.org/en/docs/hash.html

HTH, good luck!
Jeff

On Mon, Feb 11, 2019 at 1:58 PM Rainer Duffner <rainer@ultra-secure.de<mailto:rainer@ultra-secure.de>> wrote:



Am 11.02.2019 um 16:16 schrieb rick_pri <nginx-forum@forum.nginx.org<mailto:nginx-forum@forum.nginx.org>>:

However, our customers, with about 12000 domain names at present have


Let’s Encrypt rate limits will likely make these very difficult to obtain and also to renew.

If you own the DNS, maybe using Wildcard DNS entries is more practical.

Then, HAProxy allows to just drop all the certificates in a directory and let itself figure out the domain-names it has to answer.
At least, that’s what my co-worker told me.

Also, there’s the fabio LB with similar goal-posts.




_______________________________________________
nginx mailing list
nginx@nginx.org<mailto:nginx@nginx.org>
http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________

nginx mailing list
<mailto:nginx@nginx.org>
<mailto:nginx@nginx.org>

nginx@nginx.org



http://mailman.nginx.org/mailman/listinfo/nginx
http://mailman.nginx.org/mailman/listinfo/nginx

http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________

nginx mailing list

<mailto:nginx@nginx.org>

nginx@nginx.org

http://mailman.nginx.org/mailman/listinfo/nginx

http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________

nginx mailing list

<mailto:nginx@nginx.org>

nginx@nginx.org


http://mailman.nginx.org/mailman/listinfo/nginx

http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

I'm about to embark on creating 12000 vhosts

rick_pri February 11, 2019 10:16AM

Re: I'm about to embark on creating 12000 vhosts

Ben Schmidt February 11, 2019 10:36AM

Re: I'm about to embark on creating 12000 vhosts

rick_pri February 11, 2019 11:00AM

Re: I'm about to embark on creating 12000 vhosts

Robert Paprocki February 11, 2019 01:36PM

Re: I'm about to embark on creating 12000 vhosts

Peter Booth via nginx February 11, 2019 02:56PM

Re: I'm about to embark on creating 12000 vhosts

Anoop Alias February 11, 2019 09:02PM

Re: I'm about to embark on creating 12000 vhosts

rick_pri February 12, 2019 04:46AM

Re: I'm about to embark on creating 12000 vhosts

rick_pri February 12, 2019 04:42AM

Re: I'm about to embark on creating 12000 vhosts

rick_pri February 12, 2019 03:46AM

Re: I'm about to embark on creating 12000 vhosts

Anonymous User February 12, 2019 04:34AM

Re: I'm about to embark on creating 12000 vhosts

Rainer Duffner February 11, 2019 02:00PM

Re: I'm about to embark on creating 12000 vhosts

jeffdyke February 11, 2019 02:34PM

Re: I'm about to embark on creating 12000 vhosts

rick_pri February 12, 2019 04:06AM

Re: I'm about to embark on creating 12000 vhosts

Lucas Rolff February 12, 2019 04:34AM

Re: I'm about to embark on creating 12000 vhosts

rick_pri February 12, 2019 04:58AM

Re: I'm about to embark on creating 12000 vhosts

rick_pri February 12, 2019 05:08AM

Re: I'm about to embark on creating 12000 vhosts

jeffdyke February 12, 2019 10:38AM

Re: I'm about to embark on creating 12000 vhosts

rick_pri February 13, 2019 03:40AM

Re: I'm about to embark on creating 12000 vhosts

A. Schulze February 11, 2019 02:56PM

Re: I'm about to embark on creating 12000 vhosts

rick_pri February 12, 2019 04:08AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 75
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready