Welcome! Log In Create A New Profile

Advanced

Wordpress multisite + SSL

Posted by Giulio Loffreda 
Giulio Loffreda
Wordpress multisite + SSL
April 06, 2018 07:50PM
Dears

I have one wordpress multisite with subdomain being served by Nginx.

We have the main domain, lets call domain.com.
We use custom domains for customer site lets say customerone.com, customertwo.com… with correspondent subdomain on WP, as customerone.domain.com, customertwo.domain.com.

Everything works fine with the configuration at the end of this email.

However, now we want to secure some custom domains for example https://customerone.com.

For one secured domain, it works fine. I can use some plugin to force HTTPS on WP and insert certificate on top of nginx configuration.

The problem is when I have more than one domain to secure.

I tried to insert more than one ssl_certificate on top to secure base domain (domain.com) and its subdomains. Doesn’t work.
Then i search for some configuration to check domain and load the right certificate, couldn’t find.

Can someone help us to configure our server to work with non-ssl + ssl and Wordpress multisite subdomain ?

Thank you

map $http_host $blogid {
    default       -999;
}

server {
    server_name domain.com *.domain.com ;

    root /var/www/html/portal;
    index index.php;

    access_log /var/log/nginx/domain.access.log combined;
    error_log /var/log/nginx/domain.error.log;

    location / {
        try_files $uri $uri/ /index.php?$args ;
    }

    #WPMU Files
        location ~ \.php$ {
                autoindex on;
                try_files $uri =404;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
               # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

                # With php5-fpm:
                #fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                client_max_body_size       100M;
                proxy_connect_timeout      180;
                proxy_send_timeout         180;
                proxy_read_timeout         180;
        }
        location ~ ^/files/(.*)$ {
                try_files /wp-content/blogs.dir/$blogid/$uri /wp-includes/ms-files.php?file=$1 ;
                access_log off; log_not_found off;      expires max;
        }

    #WPMU x-sendfile to avoid php readfile()
    location ^~ /blogs.dir {
        internal;
        alias /home/portal/wp-content/blogs.dir;
        access_log off;     log_not_found off;      expires max;
    }

    #add some rules for static content expiry-headers here
}
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
basti
Re: Wordpress multisite + SSL
April 06, 2018 08:00PM
Hello,
where have you defined your certificate? I cant see.
if you use one serer directive for all your domains, all domains must be
in this certificate (Subject alt names).

On 06.04.2018 19:40, Giulio Loffreda wrote:
> Dears
>
>
> I have one wordpress multisite with subdomain being served by Nginx.
>
>
> We have the main domain, lets call domain.com http://domain.com.
>
> We use custom domains for customer site lets say customerone.com
> http://customerone.com, customertwo.com http://customertwo.com… with
> correspondent subdomain on WP, as customerone.domain.com
> http://customerone.domain.com, customertwo.domain.com
> http://customertwo.domain.com.
>
>
> Everything works fine with the configuration at the end of this email.
>
>
> However, now we want to secure some custom domains for example
> https://customerone.com.
>
>
> For one secured domain, it works fine. I can use some plugin to force
> HTTPS on WP and insert certificate on top of nginx configuration.
>
>
> The problem is when I have more than one domain to secure.
>
>
> I tried to insert more than one ssl_certificate on top to secure base
> domain (domain.com http://domain.com) and its subdomains. Doesn’t work.
>
> Then i search for some configuration to check domain and load the right
> certificate, couldn’t find.
>
>
> Can someone help us to configure our server to work with non-ssl + ssl
> and Wordpress multisite subdomain ?
>
>
> Thank you
>
>
> map $http_host $blogid {
>
>     default       -999;
>
> }
>
>
> server {
>
>     server_name domain.com http://domain.com *.domain.com
> http://domain.com ;
>
>
>     root /var/www/html/portal;
>
>     index index.php;
>
>
>     access_log /var/log/nginx/domain.access.log combined;
>
>     error_log /var/log/nginx/domain.error.log;
>
>
>     location / {
>
>         try_files $uri $uri/ /index.php?$args ;
>
>     }
>
>
>     #WPMU Files
>
>         location ~ \.php$ {
>
>                 autoindex on;
>
>                 try_files $uri =404;
>
>                 fastcgi_split_path_info ^(.+\.php)(/.+)$;
>
>                # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
>
>
>                 # With php5-fpm:
>
>                 #fastcgi_pass unix:/var/run/php5-fpm.sock;
>
>                 fastcgi_pass unix:/run/php/php7.0-fpm.sock;
>
>                 fastcgi_index index.php;
>
>                 include fastcgi_params;
>
>                 fastcgi_param SCRIPT_FILENAME
> $document_root$fastcgi_script_name;
>
>                 client_max_body_size       100M;
>
>                 proxy_connect_timeout      180;
>
>                 proxy_send_timeout         180;
>
>                 proxy_read_timeout         180;
>
>         }
>
>         location ~ ^/files/(.*)$ {
>
>                 try_files /wp-content/blogs.dir/$blogid/$uri
> /wp-includes/ms-files.php?file=$1 ;
>
>                 access_log off; log_not_found off;      expires max;
>
>         }
>
>
>     #WPMU x-sendfile to avoid php readfile()
>
>     location ^~ /blogs.dir {
>
>         internal;
>
>         alias /home/portal/wp-content/blogs.dir;
>
>         access_log off;     log_not_found off;      expires max;
>
>     }
>
>
>     #add some rules for static content expiry-headers here
>
> }
>
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Giulio Loffreda
Re: Wordpress multisite + SSL
April 06, 2018 08:30PM
Hi

I created one separated file for while (as we have just one customer under ssl) and placed this file on sites-enable. So it is being loaded at top of nginx configuration.
Then I have another conf file to handle 443 requests.

The aim is to have one certificate for each customer, as customer may want or already have their own certificate.
But you gave me a good idea to have a SAN certificate, I don’t know if it will work for all situations thought.

Is my aim possible ?

below my complete configuration:

ssl_certificate         /customers/certificates/customerone.com.pem;
ssl_certificate_key    /customers/certificates/customerone.com.key;

map $http_host $blogid {
    default       -999;
}

server {
    server_name domain.com *.domain.com ;

    root /var/www/html/portal;
    index index.php;

    access_log /var/log/nginx/domain.access.log combined;
    error_log /var/log/nginx/domain.error.log;

    location / {
        try_files $uri $uri/ /index.php?$args ;
    }


    #WPMU Files
        location ~ \.php$ {
                autoindex on;
                try_files $uri =404;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
               # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

                # With php5-fpm:
                #fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                client_max_body_size       100M;
                proxy_connect_timeout      180;
                proxy_send_timeout         180;
                proxy_read_timeout         180;
        }
        location ~ ^/files/(.*)$ {
                try_files /wp-content/blogs.dir/$blogid/$uri /wp-includes/ms-files.php?file=$1 ;
                access_log off; log_not_found off;      expires max;
        }

    #WPMU x-sendfile to avoid php readfile()
    location ^~ /blogs.dir {
        internal;
        alias /home/portal/wp-content/blogs.dir;
        access_log off;     log_not_found off;      expires max;
    }

    #add some rules for static content expiry-headers here
}

server {

        listen 443;
        ssl on;
        port_in_redirect off;

        server_name domain.com *.domain.com ;

        root /var/www/html/portal;
        index index.php;

        access_log /var/log/nginx/domain.access.log combined;
        error_log /var/log/nginx/domain.error.log;

        location / {
                try_files $uri $uri/ /index.php?$args ;
        }


        #WPMU Files
        location ~ \.php$ {
                autoindex on;
                try_files $uri =404;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
               # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

                # With php5-fpm:
                #fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                client_max_body_size       100M;
                proxy_connect_timeout      180;
                proxy_send_timeout         180;
                proxy_read_timeout         180;
        }
        location ~ ^/files/(.*)$ {
                try_files /wp-content/blogs.dir/$blogid/$uri /wp-includes/ms-files.php?file=$1 ;
                access_log off; log_not_found off;      expires max;
        }

        #WPMU x-sendfile to avoid php readfile()
        location ^~ /blogs.dir {
                internal;
                alias /home/portal/wp-content/blogs.dir;
                access_log off;     log_not_found off;      expires max;
        }

        #add some rules for static content expiry-headers here
        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
}


On 6 Apr 2018 at 14:50 -0300, basti <[email protected]>, wrote:
> Hello,
> where have you defined your certificate? I cant see.
> if you use one serer directive for all your domains, all domains must be
> in this certificate (Subject alt names).
>
> On 06.04.2018 19:40, Giulio Loffreda wrote:
> > Dears
> >
> >
> > I have one wordpress multisite with subdomain being served by Nginx.
> >
> >
> > We have the main domain, lets call domain.com http://domain.com.
> >
> > We use custom domains for customer site lets say customerone.com
> > http://customerone.com, customertwo.com http://customertwo.com… with
> > correspondent subdomain on WP, as customerone.domain.com
> > http://customerone.domain.com, customertwo.domain.com
> > http://customertwo.domain.com.
> >
> >
> > Everything works fine with the configuration at the end of this email..
> >
> >
> > However, now we want to secure some custom domains for example
> > https://customerone.com.
> >
> >
> > For one secured domain, it works fine. I can use some plugin to force
> > HTTPS on WP and insert certificate on top of nginx configuration.
> >
> >
> > The problem is when I have more than one domain to secure.
> >
> >
> > I tried to insert more than one ssl_certificate on top to secure base
> > domain (domain.com http://domain.com) and its subdomains. Doesn’t work.
> >
> > Then i search for some configuration to check domain and load the right
> > certificate, couldn’t find.
> >
> >
> > Can someone help us to configure our server to work with non-ssl + ssl
> > and Wordpress multisite subdomain ?
> >
> >
> > Thank you
> >
> >
> > map $http_host $blogid {
> >
> >     default       -999;
> >
> > }
> >
> >
> > server {
> >
> >     server_name domain.com http://domain.com *.domain.com
> > http://domain.com ;
> >
> >
> >     root /var/www/html/portal;
> >
> >     index index.php;
> >
> >
> >     access_log /var/log/nginx/domain.access.log combined;
> >
> >     error_log /var/log/nginx/domain.error.log;
> >
> >
> >     location / {
> >
> >         try_files $uri $uri/ /index.php?$args ;
> >
> >     }
> >
> >
> >     #WPMU Files
> >
> >         location ~ \.php$ {
> >
> >                 autoindex on;
> >
> >                 try_files $uri =404;
> >
> >                 fastcgi_split_path_info ^(.+\.php)(/.+)$;
> >
> >                # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
> >
> >
> >                 # With php5-fpm:
> >
> >                 #fastcgi_pass unix:/var/run/php5-fpm.sock;
> >
> >                 fastcgi_pass unix:/run/php/php7.0-fpm.sock;
> >
> >                 fastcgi_index index.php;
> >
> >                 include fastcgi_params;
> >
> >                 fastcgi_param SCRIPT_FILENAME
> > $document_root$fastcgi_script_name;
> >
> >                 client_max_body_size       100M;
> >
> >                 proxy_connect_timeout      180;
> >
> >                 proxy_send_timeout         180;
> >
> >                 proxy_read_timeout         180;
> >
> >         }
> >
> >         location ~ ^/files/(.*)$ {
> >
> >                 try_files /wp-content/blogs.dir/$blogid/$uri
> > /wp-includes/ms-files.php?file=$1 ;
> >
> >                 access_log off; log_not_found off;      expires max;
> >
> >         }
> >
> >
> >     #WPMU x-sendfile to avoid php readfile()
> >
> >     location ^~ /blogs.dir {
> >
> >         internal;
> >
> >         alias /home/portal/wp-content/blogs.dir;
> >
> >         access_log off;     log_not_found off;      expires max;
> >
> >     }
> >
> >
> >     #add some rules for static content expiry-headers here
> >
> > }
> >
> >
> >
> > _______________________________________________
> > nginx mailing list
> > nginx@nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
> >
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
basti
Re: Wordpress multisite + SSL
April 06, 2018 09:00PM
On 06.04.2018 20:17, Giulio Loffreda wrote:
> Hi
>
> I created one separated file for while (as we have just one customer
> under ssl) and placed this file on sites-enable. So it is being loaded
> at top of nginx configuration.
> Then I have another conf file to handle 443 requests.
>
> The aim is to have one certificate for each customer, as customer may
> want or already have their own certificate.

Then you need different server block's. the certificates are loaded at
start, so you can't load them dynamically.

in short:
1 server block -> certificate with n domains
n server block -> certificate with 1 domain

ssl_certificate* must be inside serverblock

> But you gave me a good idea to have a SAN certificate, I don’t know if
> it will work for all situations thought.
>
> Is my aim possible ?
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Giulio Loffreda
Re: Wordpress multisite + SSL
April 06, 2018 09:20PM
crystal clear

Your “in short” explanation was perfect.

Thank you

On 6 Apr 2018 at 15:56 -0300, basti <[email protected]>, wrote:
>
>
> On 06.04.2018 20:17, Giulio Loffreda wrote:
> > Hi
> >
> > I created one separated file for while (as we have just one customer
> > under ssl) and placed this file on sites-enable. So it is being loaded
> > at top of nginx configuration.
> > Then I have another conf file to handle 443 requests.
> >
> > The aim is to have one certificate for each customer, as customer may
> > want or already have their own certificate.
>
> Then you need different server block's. the certificates are loaded at
> start, so you can't load them dynamically.
>
> in short:
> 1 server block -> certificate with n domains
> n server block -> certificate with 1 domain
>
> ssl_certificate* must be inside serverblock
>
> > But you gave me a good idea to have a SAN certificate, I don’t know if
> > it will work for all situations thought.
> >
> > Is my aim possible ?
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login