0

I have a Nginx configured to serve a Wordpress subdomain multisite with main domain as domain.com.

We use it to create several sites to our customers, then some of them want a personalized url, in our site we have customername.domain.com and configure Wordpress site to have customerdomain.com to serve the customer site without using our subdomain.

My Nginx looks like:

map $http_host $blogid {
    default       -999;

    #Ref: http://wordpress.org/extend/plugins/nginx-helper/
    #include /var/www/wordpress/wp-content/plugins/nginx-helper/map.conf ;

}

server {
    server_name domain.com *.domain.com ;

    root /var/www/html/portal;
    index index.php;

    access_log /var/log/nginx/nginxwp.access.log combined;
    error_log /var/log/nginx/nginxwp.error.log;

    client_max_body_size 100M;

    location / {
        try_files $uri $uri/ /index.php?$args ;
    }


    #WPMU Files
        location ~ \.php$ {
                autoindex on;
                try_files $uri =404;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
               # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

                # With php5-fpm:
                #fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                client_max_body_size 100M;
                proxy_connect_timeout      180;
                proxy_send_timeout         180;
                proxy_read_timeout         180;
        }
        location ~ ^/files/(.*)$ {
                try_files /wp-content/blogs.dir/$blogid/$uri /wp-includes/ms-files.php?file=$1 ;
                access_log off; log_not_found off;      expires max;
        }
}

Until here, everything works fine.

Now I need to secure my customer domain.

How can I serve my customer site under ssl certificate to the domain customerdomain.com and keep others sites under HTTP and even our main site domain.com untouched ?

GIJOW
  • 123
  • 6
  • Off the top of my head, you might need an SSL certificate that includes both domain names, and you will need one Nginx configuration per customer. I run four Wordpress websites for myself, I started using WP Multisite but I quickly ran into limitations and problems and ended up moving to separate Wordpress installs. It's a bit more work to manage, but you get flexibility and easy setup. In short: move to individual Wordpress installs. – Tim Apr 05 '18 at 19:26
  • I could find a solution using multisite. There is my answer if interested – GIJOW Apr 06 '18 at 16:45

1 Answers1

1

After a lot of research, tries and failures, I could make it works in the simplest possible way.

Don't forget to use SAN certificate for domains you may want to secure

I just handled Wordpress Multisite as a normal site. And secure it as doing for any other single site (WP or Not).

At least with my little knowledge about Nginx, I secure my sites making a redirection to ssl listener site (443).

Instead of doing single configuration for each site, I kept the actual configuration for non SSL sites (majority in my network) and then used the plugin Really Simple SSL to force only the site I wanted to secure. Others will keep working "as is".

Important to say that this configuration works for multisite subdomain.

For ssl, I just created a listener in 443 port and I'm doing exactly same treatment to redirect to the right blog id. Keeping only one server block, independently of how many sites I want to secure in the future.

I have in my sites-available & sites-enabled directory 3 files.

certs.conf
domain.com.conf
ssl_domain.com.conf

Certs file:

ssl_certificate        /customers/certificates/sancert.pem;
ssl_certificate_key    /customers/certificates/sancert.key;

domain.com.conf

map $http_host $blogid {
    default       -999;

    #Ref: http://wordpress.org/extend/plugins/nginx-helper/
    #include /var/www/wordpress/wp-content/plugins/nginx-helper/map.conf ;

}

server {
    server_name domain.com *.domain.com ;

    root /var/www/html/portal;
    index index.php;

    access_log /var/log/nginx/nginxwp.access.log combined;
    error_log /var/log/nginx/nginxwp.error.log;

    location / {
        try_files $uri $uri/ /index.php?$args ;
    }


    #WPMU Files
        location ~ \.php$ {
                autoindex on;
                try_files $uri =404;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
               # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

                # With php5-fpm:
                #fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                client_max_body_size       100M;
                proxy_connect_timeout      180;
                proxy_send_timeout         180;
                proxy_read_timeout         180;
        }
        location ~ ^/files/(.*)$ {
                try_files /wp-content/blogs.dir/$blogid/$uri /wp-includes/ms-files.php?file=$1 ;
                access_log off; log_not_found off;      expires max;
        }
}

ssl_domain.com.conf

server {

        listen 443;
        ssl on;
        port_in_redirect off;

        server_name domain.com *.domain.com ;

        root /var/www/html/portal;
        index index.php;

        access_log /var/log/nginx/nginxwp.access.log combined;
        error_log /var/log/nginx/nginxwp.error.log;

        location / {
                try_files $uri $uri/ /index.php?$args ;
        }


        #WPMU Files
        location ~ \.php$ {
                autoindex on;
                try_files $uri =404;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
               # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

                # With php5-fpm:
                #fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                client_max_body_size       100M;
                proxy_connect_timeout      180;
                proxy_send_timeout         180;
                proxy_read_timeout         180;
        }
        location ~ ^/files/(.*)$ {
                try_files /wp-content/blogs.dir/$blogid/$uri /wp-includes/ms-files.php?file=$1 ;
                access_log off; log_not_found off;      expires max;
        }

        #WPMU x-sendfile to avoid php readfile()
        location ^~ /blogs.dir {
                internal;
                alias /home/portal/wp-content/blogs.dir;
                access_log off;     log_not_found off;      expires max;
        }

        #add some rules for static content expiry-headers here
        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
}

In my wordpress, I have set the site the custom domain for this site as customerdomain.com and forced HTTPS using the plugin Really Simple SSL

Everything works like a charm, with grade A+ on SSLabs.

Hope it can save time for next one researching a solution

GIJOW
  • 123
  • 6