Multiple domains and SSL certificates on one Nginx server

Published by Alexander Braun on 31 Oct 2017 - tagged with Nginx, SSL, Security

Recently I had to find a solution to host multiple web applications on a Virtual Private Server (VPS). Both applications are accessed by different domain names, each of them using separate SSL certificates. In this post I explain how to configure Nginx to fulfill these requirements.

In my specific environment, I was lucky that the Linux box can be accessed through different external IP addresses. This simplifies the Nginx configuration and allows a clean separation of hosting different applications.

If you are looking for a solution with only one external IP address, you should check out this post.

Both applications are stand-alone Spring Boot web applications and the corresponding Spring Boot server.port configuration was set to ports 8080 for domain 1 and port 8081 for domain 2. Each domain has a separate set of certificate and key - which is what I usually prefer. I personally don't like multi-domain SSL certificates.

server {
    listen       167.100.100.101:443 ssl http2 default_server;
    server_name  example.com;
    ssl_certificate /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;
    location / {
        proxy_pass http://localhost:8080;
    }
}
server {
    listen       167.100.100.102:443 ssl http2 default_server;
    server_name  example.net;
    ssl_certificate /etc/nginx/ssl/example.net.crt;
    ssl_certificate_key /etc/nginx/ssl/example.net.key;
    location / {
        proxy_pass http://localhost:8081;
    }
}

Considering my specific setup it was actually quite easy to configure Nginx to fulfill my requirements. Let's have a quick look into the configuration file.

For each application, a server configuration block was added. The listen parameter specifies which external IP address and external port Nginx should listen to. Additionally, we specify the server name - here example.com (first domain) and example.net (second domain). The SSL certificate and key are being configured for each server individually, using the ssl_certificate and ssl_certificate_key parameters. And finally, we tell Nginx where to forward the request for a specific external IP address using the location block and the proxy_pass parameter.

To apply the changes it is required to restart Nginx. On centOS this can be achieved by executing the following command:

[user@domain ~]$ sudo service nginx restart
Stopping nginx:                                            [  OK  ]
Starting nginx:                                            [  OK  ]

Note: This configuration file is a simplified example to demonstrate how to set up Nginx to serve multiple domains using multiple SSL certificates/keys. Other important parameters like ssl_session_cache, ssl_session_timeout, ssl_ciphers and ssl_prefer_server_ciphers are removed. I'd recommend having a look into this parameters as well to provide additional security.