Looking for some advice and peer input - I'm currently trying to configure NGINX in a way so that I can configure multiple websites at the same time without having to set up individual VHost configs or declaring multiple 'server {}' entries with duplicate config parameters in my NGINX configuration. I have partial success thus far but I'm worried that in doing this it might create security concerns or inadvertently have too broadly defined range. I'm also unsure how to properly/correctly use the "default" value in 'map' directive.
All in all, currently I have a typical NGINX configuration with 2 VHost configs for one domain name (and a 'www.*' subdomain for it) in 'nginx_root/sites-available' - one for HTTP (port 80) and one for HTTPS (port 443) which are soft-symlinked to 'nginx_root/sites-enabled'. But as previously mentioned - I'd like to add additional domain names but keep the amount and size of these configs as they currently are by using the NGINX 'map' features to set-up new domain names dynamically.
The way I've mapped it at the moment is by creating a config file: 'nginx_root/mapped_fqdn.conf' which I have then included early in my NGINX config (so that it gets mapped before it's called/referenced further in the config) and then using the map as 'server_name' parameter. If it's possible to expand this to other config parameters and safe to do so, I'd like to add the new domain names in this same way.
mapped_fqdn.conf:
### Domain name mapping
map $host $fqdn_map {
hostnames;
default 0;
domain-1.com 0;
www.domain-1.com 0;
}
00-http.conf:
server {
listen 80;
listen [::]:80;
server_name $fqdn_map;
root /var/www/public_html;
index index.html;
access_log /var/log/nginx/nginx_access.log nginx_access;;
### HTTP to HTTPS Redirect
return 301 https://$server_name$request_uri;
}
For the sake of not repeating I'll skip adding the HTTPS config, which looks about the same, except it has some few minor additional parameters, along with the SSL-specific config parameters added and doesn't have the 301 redirect, which is present in the HTTP config.
The way I see it, I can add the additional domain names in the same way...
example of updated mapped_fqdn.conf: (the way I see is that perhaps adding specific subdomains would be safer than adding them like wildcards, i.e.: "*.domain.com")
### Domain name mapping
map $host $fqdn_map {
hostnames;
default 0;
domain-1.com 10;
www.domain-1.com 11;
domain-2.co.uk 20;
www.domain-2.co.uk 21;
subdomain1.domain-2.co.uk 22;
subdomain2.domain-2.co.uk 23;
domain-3.com 30;
www.domain-3.com 31;
subdomain1.domain-3.com 32;
}
example of updated 00-http.conf:
server {
listen 80;
listen [::]:80;
server_name $fqdn_map;
root /var/www/$fqdn_map/public_html;
index index.html;
access_log /var/log/nginx/$fqdn_map-nginx_access.log nginx_access;;
### HTTP to HTTPS Redirect
return 301 https://$server_name$request_uri;
}
However, before I proceed, I'm concerned about how would this work with directories, i.e.: Let's Encrypt certificates for HTTPS config - is it possible to specifically select which mapped items to use? For example: $fqdn_map{10|20|30} (this way selecting only the domain names without subdomain names).
ssl_client_certificate /etc/ssl/certs/$fqdn_map{10|20|30}/cloudflare_origin.pem;
ssl_certificate /etc/letsencrypt/live/$fqdn_map{10|20|30}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$fqdn_map{10|20|30}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/$fqdn_map{10|20|30}/chain.pem;
Or perhaps I'm going about this the wrong way and I should map FQDN and subdomains separately ... or maybe just create symlinks and junctions from mapped subdomain directories to fqdn directories (which, while resulting in less/cleaner configs, leads to more symlinking kinda defeating the purpose of "doing less but achieving more")?