Hello, all config files are TCL scripts, so I have in my main "conf" folder
a folder called "servers".
My main nsd configuration file like this:
~~~tcl
...
set servers [glob -directory [file join /opt/ns/conf/ servers] *]
...
ns_section "ns/module/nsssl" {
ns_param defaultserver
$hostname
ns_param certificate
/opt/ns/modules/nsssl/main.pem
ns_param address
$ip_addr
ns_param port
$ssl_port
ns_param hostname
$hostname
ns_param ciphers
"ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!RC4"
ns_param protocols
"!SSLv2:!SSLv3"
ns_param verify
0
ns_param extraheaders {
Strict-Transport-Security "max-age=31536000;
includeSubDomains"
X-Frame-Options SAMEORIGIN
X-Content-Type-Options nosniff
}
ns_param maxinput
[expr {$max_file_upload_mb * 1024 * 1024}]
ns_param recvwait
[expr {$max_file_upload_min * 60}]
}
...
ns_section "ns/servers" {
foreach server $servers {
ns_param [file tail $server] "[file tail $server]"
}
}
ns_section "ns/module/nsssl/servers" {
foreach server $servers {
ns_param [file tail $server] [file tail $server]
}
}
ns_section "ns/module/nssock/servers" {
foreach server $servers {
ns_param [file tail $server] [file tail $server]
}
}
...
~~~
For each server I want to add, I create a config file inside servers
folder, and name it as my domain or subdomain. For example:
myfirstserver.com, secondserver.com
~~~tcl
set server "myfirstserver.com"
set db_name $server
...
ns_section "ns/server/${server}/module/nsssl" {
ns_param certificate
${homedir}/modules/nsssl/${server}.pem
ns_param ciphersuites
"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
}
...
~~~
Basically I'm just cloning one file and setting up domain name in the
beginning of it. My certificates have the same name as domain they are
used for
So when Naviserver starts it will read my main config file, read
config files from the "server" directory with certificates, database
connection settings etc.
So it's really easy to setup new virtual server: clone one of
conf/server files, change name, setup server var, get and save
certificate with the same name as server, reboot nsd and ready to go.
Cheers
On Sun, Jan 17, 2021 at 10:30 AM Jeff R <dv...@diphi.com> wrote:
> Hi all,
>
> Looking at the docs and recent list postings Naviserver supports virtual
> hosting over ssl using SNI by defining multiple servers in the config and
> specifying the certificate for each server. The downside of this is that
> in order to add a new host you need to modify the config, rather than just
> adding new certificates.
>
> I'm thinking it would allow a simpler config to support having a scheme
> matching the host name to the certificate file name implicitly, rather than
> explicitly. That is, instead of looking for the certificate configured
> for a matching nsssl server, look for a file matching
> "directory/${host}.pem"
>
> This could be mostly accomplished by having the config file create the
> sections at runtime (i.e., at config load time) by scanning the desired
> directory, but doing so would still require the server to be restarted if a
> new certificate was added.
>
> A config supporting this might look like
>
> ns_section ns/module/nsssl {
> ns_param port 8433
> ns_param defaultserver s1
> ns_param certificate /usr/local/ns/modules/nsssl/server.pem
> ns_param sni_certificate /usr/local/ns/modules/nsssl/%host%.pem
> }
> with whatever placeholder syntax makes sense for "host" there. ($host
> obviously can't work)
>
> I don't know how this approach would work for wildcard certificates -
> maybe it would need to look for "domain" and then "*.domain", or if looking
> for "foo.domain.xyz" if could try "domain.xzy" if it exists on the
> assumption it's a wildcard?
>
> This is not critical for me as a letsencrypt SAN certificate will probably
> work fine, but I like to keep my options open :)
>
> Cheers,
> -J
>
> _______________________________________________
> naviserver-devel mailing list
> naviserver-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/naviserver-devel
>
_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
