In haproxy, you simply specify a path where you have all your certificates.
frontend https_frontend
bind *:443 ssl crt /etc/haproxy/certs/default-cert.pem crt
/etc/haproxy/certs alpn h2,http/1.1
This way, haproxy will read all certs, and when stuff comes in, it uses the
host header to determine which certificate it should serve.
There was a thread on the haproxy mailing list not long ago, with managing more
than 100k certificates per haproxy instance, and they’re working on further
optimizations with those kinds of deployments (if it’s not already done..
haven’t checked to be honest).
Best Regards,
From: nginx <nginx-boun...@nginx.org> on behalf of Richard Paul
<rich...@primarysite.net>
Reply-To: "nginx@nginx.org" <nginx@nginx.org>
Date: Tuesday, 12 February 2019 at 10.04
To: "nginx@nginx.org" <nginx@nginx.org>
Subject: Re: I'm about to embark on creating 12000 vhosts
Hi Jeff
That's interesting, how do you manage the progamming to load the right
certificate for the right domain coming in as the server name? We need to load
the right certificate for the incoming domain and the 12000 figure is the
number of unique vanity domains without the www. subdomains.
We're planning to follow the same path as you though, we're essentially putting
these Nginx TLS terminators (fronted by GCP load balancers) in front of our
existing Varnish caching and Nginx backend infrastructure which currently only
listen on port 80.
I couldn't work out what the limits are at LE as it's not clear with regards to
adding new unique domains limits. I'm going to have to ask in the forums at
some point so that I can work out what our daily batches are going to be.
Kind regards,
Richard
On Mon, 2019-02-11 at 14:33 -0500, Jeff Dyke wrote:
I use haproxy in a similar way as stated by Rainer, rather than having hundreds
and hundreds of config files (yes there are other ways), i have 1 for haproxy
and 2(on multiple machines defined in HAProxy). One for my main domain that
listens to an "real" server_name and another that listens to `server_name _;`
All of the nginx servers simply listen on 80 and 81 to handle non H2 clients
and the application does the correct thing with the domain. Which is where
YMMV as all applications differ.
I found this much simpler and easier to maintain over time. I got around the
LE limits by a staggered migration, so i was only requesting what was in the
limit each day, then have a custom script that calls LE (which is also on the
same machine as HAProxy) when certs are about 10 days out, so the staggering
stays within the limits. When i was using custom configuration, i was build
them via python using a yaml file and nginx would effectively be a jinja2
template. But even that became onerous. When going down the nginx path ensure
you pay attention to the variables that control domain hash sizes.
http://nginx.org/en/docs/hash.html
HTH, good luck!
Jeff
On Mon, Feb 11, 2019 at 1:58 PM Rainer Duffner
<rai...@ultra-secure.de<mailto:rai...@ultra-secure.de>> wrote:
Am 11.02.2019 um 16:16 schrieb rick_pri
<nginx-fo...@forum.nginx.org<mailto:nginx-fo...@forum.nginx.org>>:
However, our customers, with about 12000 domain names at present have
Let’s Encrypt rate limits will likely make these very difficult to obtain and
also to renew.
If you own the DNS, maybe using Wildcard DNS entries is more practical.
Then, HAProxy allows to just drop all the certificates in a directory and let
itself figure out the domain-names it has to answer.
At least, that’s what my co-worker told me.
Also, there’s the fabio LB with similar goal-posts.
_______________________________________________
nginx mailing list
nginx@nginx.org<mailto:nginx@nginx.org>
http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
<mailto:nginx@nginx.org>
nginx@nginx.org<mailto:nginx@nginx.org>
<http://mailman.nginx.org/mailman/listinfo/nginx>
http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
