FWIW, this kind of large installation is why solutions like OpenResty exist (providing for dynamic config/cert service/hostname registration without having to worry about the time/expense of re-parsing the Nginx config).
On Mon, Feb 11, 2019 at 7:59 AM Richard Paul <rich...@primarysite.net> wrote: > Hi Ben, > > Thanks for the quick response. That's great to hear, as we'd only get to > find this out after putting rather a lot of effort into the process. > We'll be hosting these on cloud instances but since those aren't the > fastest machines around I'll take the reloading as a word of caution (we're > probably going to have to make another bit of application functionality > which will handle this so that we're only reloading when we have domain > changes rather than on a regular schedule that'd I'd thought would be the > simplest method.) > > I have a plan for the rate limits, but thank you for mentioning it. SANs > would reduce the number of vhosts, but I'm not sure about the added > complexity of managing the vhost templates and the key/cert naming. > > Kind regards, > Richard > > > On Mon, 2019-02-11 at 16:35 +0100, Ben Schmidt wrote: > > Hi Richard, > > we have experience with around 1/4th the vhosts on a single Server, no > Issues at all. > Reloading can take up to a minute but the Hardware isn't what I would call > recent. > > The only thing that you'll have to watch out are Letsencrypt rate Limits > > https://letsencrypt.org/docs/rate-limits/ > ##### > /etc/letsencrypt/renewal $ ls | wc -l > 1647 > ##### > We switched to using SAN Certs whenever possible. > > Around 8 years ago I managed a 8000 vHosts Webfarm with a apache. No > Issues ether. > > Cheers, > Ben > > On Mon, Feb 11, 2019 at 4:16 PM rick_pri <nginx-fo...@forum.nginx.org> > wrote: > > Our current setup is pretty simple, we have a regex capture to ensure that > the incoming request is a valid ascii domain name and we serve all our > traffic from that. Great ... for us. > > However, our customers, with about 12000 domain names at present have > started to become quite vocal about having HTTPS on their websites, to > which > we provide a custom CMS and website package, which means we're about to > create a new Nginx layer in front of our current servers to terminate TLS. > This will require us to set up vhosts for each certificate issued with > server names which match what's in the certificate's SAN. > > To keep this simple we're currently thinking about just having each domain, > and www subdomain, on its own certificate (LetsEncrypt) and vhost but that > is going to lead, approximately, to the number of vhosts mentioned in the > subject line. As such I wanted to put the feelers out to see if anyone > else > had tried to work with large numbers of vhosts and any issues which they > may > have come across. > > Kind regards, > > Richard > > Posted at Nginx Forum: > https://forum.nginx.org/read.php?2,282986,282986#msg-282986 > > _______________________________________________ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > > _______________________________________________ > > nginx mailing list > > nginx@nginx.org > > > http://mailman.nginx.org/mailman/listinfo/nginx > > _______________________________________________ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
