Wordpress multisite + SSL

Giulio Loffreda giulio at loffreda.com.br
Fri Apr 6 18:17:51 UTC 2018


Hi

I created one separated file for while (as we have just one customer under ssl) and placed this file on sites-enable. So it is being loaded at top of nginx configuration.
Then I have another conf file to handle 443 requests.

The aim is to have one certificate for each customer, as customer may want or already have their own certificate.
But you gave me a good idea to have a SAN certificate, I don’t know if it will work for all situations thought.

Is my aim possible ?

below my complete configuration:

ssl_certificate         /customers/certificates/customerone.com.pem;
ssl_certificate_key    /customers/certificates/customerone.com.key;

map $http_host $blogid {
    default       -999;
}

server {
    server_name domain.com *.domain.com ;

    root /var/www/html/portal;
    index index.php;

    access_log /var/log/nginx/domain.access.log combined;
    error_log /var/log/nginx/domain.error.log;

    location / {
        try_files $uri $uri/ /index.php?$args ;
    }


    #WPMU Files
        location ~ \.php$ {
                autoindex on;
                try_files $uri =404;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
               # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

                # With php5-fpm:
                #fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                client_max_body_size       100M;
                proxy_connect_timeout      180;
                proxy_send_timeout         180;
                proxy_read_timeout         180;
        }
        location ~ ^/files/(.*)$ {
                try_files /wp-content/blogs.dir/$blogid/$uri /wp-includes/ms-files.php?file=$1 ;
                access_log off; log_not_found off;      expires max;
        }

    #WPMU x-sendfile to avoid php readfile()
    location ^~ /blogs.dir {
        internal;
        alias /home/portal/wp-content/blogs.dir;
        access_log off;     log_not_found off;      expires max;
    }

    #add some rules for static content expiry-headers here
}

server {

        listen 443;
        ssl on;
        port_in_redirect off;

        server_name domain.com *.domain.com ;

        root /var/www/html/portal;
        index index.php;

        access_log /var/log/nginx/domain.access.log combined;
        error_log /var/log/nginx/domain.error.log;

        location / {
                try_files $uri $uri/ /index.php?$args ;
        }


        #WPMU Files
        location ~ \.php$ {
                autoindex on;
                try_files $uri =404;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
               # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

                # With php5-fpm:
                #fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                client_max_body_size       100M;
                proxy_connect_timeout      180;
                proxy_send_timeout         180;
                proxy_read_timeout         180;
        }
        location ~ ^/files/(.*)$ {
                try_files /wp-content/blogs.dir/$blogid/$uri /wp-includes/ms-files.php?file=$1 ;
                access_log off; log_not_found off;      expires max;
        }

        #WPMU x-sendfile to avoid php readfile()
        location ^~ /blogs.dir {
                internal;
                alias /home/portal/wp-content/blogs.dir;
                access_log off;     log_not_found off;      expires max;
        }

        #add some rules for static content expiry-headers here
        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
}


On 6 Apr 2018 at 14:50 -0300, basti <mailinglist at unix-solution.de>, wrote:
> Hello,
> where have you defined your certificate? I cant see.
> if you use one serer directive for all your domains, all domains must be
> in this certificate (Subject alt names).
>
> On 06.04.2018 19:40, Giulio Loffreda wrote:
> > Dears
> >
> >
> > I have one wordpress multisite with subdomain being served by Nginx.
> >
> >
> > We have the main domain, lets call domain.com <http://domain.com>.
> >
> > We use custom domains for customer site lets say customerone.com
> > <http://customerone.com>, customertwo.com <http://customertwo.com>… with
> > correspondent subdomain on WP, as customerone.domain.com
> > <http://customerone.domain.com>, customertwo.domain.com
> > <http://customertwo.domain.com>.
> >
> >
> > Everything works fine with the configuration at the end of this email.
> >
> >
> > However, now we want to secure some custom domains for example
> > https://customerone.com.
> >
> >
> > For one secured domain, it works fine. I can use some plugin to force
> > HTTPS on WP and insert certificate on top of nginx configuration.
> >
> >
> > The problem is when I have more than one domain to secure.
> >
> >
> > I tried to insert more than one ssl_certificate on top to secure base
> > domain (domain.com <http://domain.com>) and its subdomains. Doesn’t work.
> >
> > Then i search for some configuration to check domain and load the right
> > certificate, couldn’t find.
> >
> >
> > Can someone help us to configure our server to work with non-ssl + ssl
> > and Wordpress multisite subdomain ?
> >
> >
> > Thank you
> >
> >
> > map $http_host $blogid {
> >
> >     default       -999;
> >
> > }
> >
> >
> > server {
> >
> >     server_name domain.com <http://domain.com> *.domain.com
> > <http://domain.com> ;
> >
> >
> >     root /var/www/html/portal;
> >
> >     index index.php;
> >
> >
> >     access_log /var/log/nginx/domain.access.log combined;
> >
> >     error_log /var/log/nginx/domain.error.log;
> >
> >
> >     location / {
> >
> >         try_files $uri $uri/ /index.php?$args ;
> >
> >     }
> >
> >
> >     #WPMU Files
> >
> >         location ~ \.php$ {
> >
> >                 autoindex on;
> >
> >                 try_files $uri =404;
> >
> >                 fastcgi_split_path_info ^(.+\.php)(/.+)$;
> >
> >                # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
> >
> >
> >                 # With php5-fpm:
> >
> >                 #fastcgi_pass unix:/var/run/php5-fpm.sock;
> >
> >                 fastcgi_pass unix:/run/php/php7.0-fpm.sock;
> >
> >                 fastcgi_index index.php;
> >
> >                 include fastcgi_params;
> >
> >                 fastcgi_param SCRIPT_FILENAME
> > $document_root$fastcgi_script_name;
> >
> >                 client_max_body_size       100M;
> >
> >                 proxy_connect_timeout      180;
> >
> >                 proxy_send_timeout         180;
> >
> >                 proxy_read_timeout         180;
> >
> >         }
> >
> >         location ~ ^/files/(.*)$ {
> >
> >                 try_files /wp-content/blogs.dir/$blogid/$uri
> > /wp-includes/ms-files.php?file=$1 ;
> >
> >                 access_log off; log_not_found off;      expires max;
> >
> >         }
> >
> >
> >     #WPMU x-sendfile to avoid php readfile()
> >
> >     location ^~ /blogs.dir {
> >
> >         internal;
> >
> >         alias /home/portal/wp-content/blogs.dir;
> >
> >         access_log off;     log_not_found off;      expires max;
> >
> >     }
> >
> >
> >     #add some rules for static content expiry-headers here
> >
> > }
> >
> >
> >
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
> >
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20180406/fcd93262/attachment-0001.html>


More information about the nginx mailing list