I use https://dokku.com/ as Platform As A Service (PaaS) tool, which is very convenient until you have dozen of apps deployed (like I do) and hit Let's Encrypt limits.
Enter Wildcard SSL certificate land.
It turns out that it is pretty easy to configure https://nginx.org/ to act as a SSL-offloader for all Dokku apps, as simple as 1,2,3…
1. Create SSL config file
cat /etc/nginx/conf.d/00-ssl.conf
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name *.costan.ro;
access_log /var/log/nginx/ssl-access.log;
error_log /var/log/nginx/ssl-error.log;
ssl_certificate /etc/letsencrypt/live/costan.ro/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/costan.ro/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
keepalive_timeout 70;
location / {
gzip on;
gzip_min_length 1100;
gzip_buffers 4 32k;
gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml application/rss+xml font/truetype application/x-font-ttf font/opentype application/vnd.ms-fontobject image/svg+xml;
gzip_vary on;
gzip_comp_level 6;
proxy_pass http://localhost;
http2_push_preload on;
proxy_http_version 1.1;
proxy_read_timeout 60s;
proxy_buffer_size 4096;
proxy_buffering on;
proxy_buffers 8 4096;
proxy_busy_buffers_size 8192;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Request-Start $msec;
}
}
2. Import config file
grep -C 2 00-ssl /etc/nginx/nginx.conf
http {
include /etc/nginx/conf.d/00-ssl.conf;
include /home/dokku/*/nginx.conf;
3. Reload configuration
systemctl reload nginx