带有单个SSL证书的多个域的NGINX设置

############################
#
# Upstream
#
upstream upstream {
    least_conn;
    server app:8080;
}
upstream blog.upstream {
    least_conn;
    server app_nginx;
}
############################
#
# redirect all 80 to 443
# and allow Let's Encrypt
#
server {
    server_name ~.;
    listen 80;
    listen [::]:80;
    # config for .well-known
    include /etc/nginx/includes/letsencrypt.conf;
    location / {
        return         301 https://$host$uri;
    }
}
############################
#
# Redirect all www to non-www
#
server {
    server_name "~^www.(.*)$" ;
    return 301 https://$1$request_uri ;
    ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem;
}
##########################
# HTTPS
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name domain.com;
    location /blog/ {
        proxy_set_header Host $host;
        proxy_pass  http://blog.upstream;
    }
    ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
    # access_log
    access_log            /var/log/nginx/access.log;
    # proxy_pass config
    location / {
        # include proxy presets
        include /etc/nginx/includes/proxy.conf;
        proxy_pass              http://domain.com$uri;
    }
    # general ssl parameters
    include /etc/nginx/includes/ssl-params-with-preload.conf;
    root         /var/www/html;
}

我通过创建相当多的包含文件解决了这一点。

我现在有以下default.conf：

# don't redirect proxy
proxy_redirect  off;
# turn off global logging
access_log off;
# DON'T enable gzip as it opens up vulnerabilities
# logging format
log_format compression '$remote_addr - $remote_user [$time_local] '
                       '"$request" $status $bytes_sent '
                       '"$http_referer" "$http_user_agent" "$gzip_ratio"';
############################
#
# redirect all 80 to 443
# and allow Let's Encrypt
#
server {
  listen 80;
  listen [::]:80;
  server_name ~. ;
  location /.well-known/acme-challenge {
    root /var/www/html;
    default_type text/plain;
    # allow all;
  }
  location / {
    return 301 https://$host$uri;
  }
}
# include website configs
include /etc/nginx/includes/nginx-server.conf;

我的nginx-server.conf具有以下内容：

############################
#
# Upstream
#
upstream veare_upstream {
    server veare:8080;
}
############################
#
# redirect all 80 to 443
# and allow Let's Encrypt
#
server {
    server_name www.veare.de;
    listen 80;
    listen [::]:80;
    root /var/www/html;
    location /.well-known/acme-challenge {
        default_type text/plain;
    }
    location / {
        return         301 https://$host$uri;
    }
}
############################
#
# Redirect all www to non-www
#
server {
    listen 80;
    listen [::]:80;
    server_name "~^www.(.*)$" ;
    return 301 https://$1$request_uri;
}
##########################
# HTTPS
include /etc/nginx/includes/domains/*.conf;

最后一行包括我的所有域文件，例如是veare.de.conf，它们都完全像域名：

############################
#
# Redirect all www to non-www
#
#
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name www.veare.de;
    ssl_certificate /etc/letsencrypt/live/www.veare.de/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.veare.de/privkey.pem;
    return 301 https://veare.de$request_uri;
}
##########################
# HTTPS
server {
    server_name veare.de;
    ssl_certificate /etc/letsencrypt/live/veare.de/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/veare.de/privkey.pem;
    location ^~ /.well-known/acme-challenge {
      allow all;
      # Set correct content type. According to this:
      # https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29
      # Current specification requires "text/plain" or no content header at all.
      # It seems that "text/plain" is a safe option.
      default_type "text/plain";
      root /var/www/html;
    }
    include /etc/nginx/includes/main-server.conf;
}

这对我来说非常有效。