Re: Wordpress multisite + SSL

2018-04-06 Thread Giulio Loffreda 
crystal clear

Your “in short” explanation was perfect.

Thank you

On 6 Apr 2018 at 15:56 -0300, basti , wrote:
>
>
> On 06.04.2018 20:17, Giulio Loffreda wrote:
> > Hi
> >
> > I created one separated file for while (as we have just one customer
> > under ssl) and placed this file on sites-enable. So it is being loaded
> > at top of nginx configuration.
> > Then I have another conf file to handle 443 requests.
> >
> > The aim is to have one certificate for each customer, as customer may
> > want or already have their own certificate.
>
> Then you need different server block's. the certificates are loaded at
> start, so you can't load them dynamically.
>
> in short:
> 1 server block -> certificate with n domains
> n server block -> certificate with 1 domain
>
> ssl_certificate* must be inside serverblock
>
> > But you gave me a good idea to have a SAN certificate, I don’t know if
> > it will work for all situations thought.
> >
> > Is my aim possible ?
> ___
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Wordpress multisite + SSL

2018-04-06 Thread basti 


On 06.04.2018 20:17, Giulio Loffreda wrote:
> Hi
> 
> I created one separated file for while (as we have just one customer
> under ssl) and placed this file on sites-enable. So it is being loaded
> at top of nginx configuration.
> Then I have another conf file to handle 443 requests.
> 
> The aim is to have one certificate for each customer, as customer may
> want or already have their own certificate.

Then you need different server block's. the certificates are loaded at
start, so you can't load them dynamically.

in short:
1 server block -> certificate with n domains
n server block -> certificate with 1 domain

ssl_certificate* must be inside serverblock

> But you gave me a good idea to have a SAN certificate, I don’t know if
> it will work for all situations thought.
> 
> Is my aim possible ?
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Wordpress multisite + SSL

2018-04-06 Thread Giulio Loffreda 
Hi

I created one separated file for while (as we have just one customer under ssl) 
and placed this file on sites-enable. So it is being loaded at top of nginx 
configuration.
Then I have another conf file to handle 443 requests.

The aim is to have one certificate for each customer, as customer may want or 
already have their own certificate.
But you gave me a good idea to have a SAN certificate, I don’t know if it will 
work for all situations thought.

Is my aim possible ?

below my complete configuration:

ssl_certificate         /customers/certificates/customerone.com.pem;
ssl_certificate_key    /customers/certificates/customerone.com.key;

map $http_host $blogid {
    default       -999;
}

server {
    server_name domain.com *.domain.com ;

    root /var/www/html/portal;
    index index.php;

    access_log /var/log/nginx/domain.access.log combined;
    error_log /var/log/nginx/domain.error.log;

    location / {
        try_files $uri $uri/ /index.php?$args ;
    }


    #WPMU Files
        location ~ \.php$ {
                autoindex on;
                try_files $uri =404;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
               # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

                # With php5-fpm:
                #fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME 
$document_root$fastcgi_script_name;
                client_max_body_size       100M;
                proxy_connect_timeout      180;
                proxy_send_timeout         180;
                proxy_read_timeout         180;
        }
        location ~ ^/files/(.*)$ {
                try_files /wp-content/blogs.dir/$blogid/$uri 
/wp-includes/ms-files.php?file=$1 ;
                access_log off; log_not_found off;      expires max;
        }

    #WPMU x-sendfile to avoid php readfile()
    location ^~ /blogs.dir {
        internal;
        alias /home/portal/wp-content/blogs.dir;
        access_log off;     log_not_found off;      expires max;
    }

    #add some rules for static content expiry-headers here
}

server {

        listen 443;
        ssl on;
        port_in_redirect off;

        server_name domain.com *.domain.com ;

        root /var/www/html/portal;
        index index.php;

        access_log /var/log/nginx/domain.access.log combined;
        error_log /var/log/nginx/domain.error.log;

        location / {
                try_files $uri $uri/ /index.php?$args ;
        }


        #WPMU Files
        location ~ \.php$ {
                autoindex on;
                try_files $uri =404;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
               # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

                # With php5-fpm:
                #fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME 
$document_root$fastcgi_script_name;
                client_max_body_size       100M;
                proxy_connect_timeout      180;
                proxy_send_timeout         180;
                proxy_read_timeout         180;
        }
        location ~ ^/files/(.*)$ {
                try_files /wp-content/blogs.dir/$blogid/$uri 
/wp-includes/ms-files.php?file=$1 ;
                access_log off; log_not_found off;      expires max;
        }

        #WPMU x-sendfile to avoid php readfile()
        location ^~ /blogs.dir {
                internal;
                alias /home/portal/wp-content/blogs.dir;
                access_log off;     log_not_found off;      expires max;
        }

        #add some rules for static content expiry-headers here
        add_header Strict-Transport-Security "max-age=63072000; 
includeSubDomains; preload";
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
}


On 6 Apr 2018 at 14:50 -0300, basti , wrote:
> Hello,
> where have you defined your certificate? I cant see.
> if you use one serer directive for all your domains, all domains must be
> in this certificate (Subject alt names).
>
> On 06.04.2018 19:40, Giulio Loffreda wrote:
> > Dears
> >
> >
> > I have one wordpress multisite with subdomain being served by Nginx.
> >
> >
> > We have the main domain, lets call domain.com .
> >
> > We use custom domains for customer site lets say customerone.com
> > , customertwo.com … with
> > correspondent subdomain on WP, as customerone.domain.com
> > , customertwo.domain.com
> > .
> >
> >
> >

Re: Wordpress multisite + SSL

2018-04-06 Thread basti 
Hello,
where have you defined your certificate? I cant see.
if you use one serer directive for all your domains, all domains must be
in this certificate (Subject alt names).

On 06.04.2018 19:40, Giulio Loffreda wrote:
> Dears
> 
> 
> I have one wordpress multisite with subdomain being served by Nginx.
> 
> 
> We have the main domain, lets call domain.com .
> 
> We use custom domains for customer site lets say customerone.com
> , customertwo.com … with
> correspondent subdomain on WP, as customerone.domain.com
> , customertwo.domain.com
> .
> 
> 
> Everything works fine with the configuration at the end of this email.
> 
> 
> However, now we want to secure some custom domains for example
> https://customerone.com.
> 
> 
> For one secured domain, it works fine. I can use some plugin to force
> HTTPS on WP and insert certificate on top of nginx configuration.
> 
> 
> The problem is when I have more than one domain to secure.
> 
> 
> I tried to insert more than one ssl_certificate on top to secure base
> domain (domain.com ) and its subdomains. Doesn’t work.
> 
> Then i search for some configuration to check domain and load the right
> certificate, couldn’t find.
> 
> 
> Can someone help us to configure our server to work with non-ssl + ssl
> and Wordpress multisite subdomain ?
> 
> 
> Thank you
> 
> 
> map $http_host $blogid {
> 
>     default       -999;
> 
> }
> 
> 
> server {
> 
>     server_name domain.com  *.domain.com
>  ;
> 
> 
>     root /var/www/html/portal;
> 
>     index index.php;
> 
> 
>     access_log /var/log/nginx/domain.access.log combined;
> 
>     error_log /var/log/nginx/domain.error.log;
> 
> 
>     location / {
> 
>         try_files $uri $uri/ /index.php?$args ;
> 
>     }
> 
> 
>     #WPMU Files
> 
>         location ~ \.php$ {
> 
>                 autoindex on;
> 
>                 try_files $uri =404;
> 
>                 fastcgi_split_path_info ^(.+\.php)(/.+)$;
> 
>                # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
> 
> 
>                 # With php5-fpm:
> 
>                 #fastcgi_pass unix:/var/run/php5-fpm.sock;
> 
>                 fastcgi_pass unix:/run/php/php7.0-fpm.sock;
> 
>                 fastcgi_index index.php;
> 
>                 include fastcgi_params;
> 
>                 fastcgi_param SCRIPT_FILENAME
> $document_root$fastcgi_script_name;
> 
>                 client_max_body_size       100M;
> 
>                 proxy_connect_timeout      180;
> 
>                 proxy_send_timeout         180;
> 
>                 proxy_read_timeout         180;
> 
>         }
> 
>         location ~ ^/files/(.*)$ {
> 
>                 try_files /wp-content/blogs.dir/$blogid/$uri
> /wp-includes/ms-files.php?file=$1 ;
> 
>                 access_log off; log_not_found off;      expires max;
> 
>         }
> 
> 
>     #WPMU x-sendfile to avoid php readfile()
> 
>     location ^~ /blogs.dir {
> 
>         internal;
> 
>         alias /home/portal/wp-content/blogs.dir;
> 
>         access_log off;     log_not_found off;      expires max;
> 
>     }
> 
> 
>     #add some rules for static content expiry-headers here
> 
> }
> 
> 
> 
> ___
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
> 
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx