How to handle SSL certificates for implementing WhiteLabel option in a web app running on NGINX server

Asked 17/2, 2020 at 14:14 Answered 26/2, 2020 at 22:35

Solved amazon-web-services nginx ssl-certificate multi-tenant aws-acm

I'm working on a Web App.

My app runs on the subdomain app.mydomain.com

I need to WhiteLabel my app. I'm asking my Customers to point to their own website via CNAME to my app.

design.customerwebsite.com points to app.mydomain.com

Here is what I have tried to solve this.

I created a new file in /etc/nginx/sites-available named customerwebsite.com Added a symlink to the file.

I installed SSL using certbot with the below command.

sudo certbot --nginx -n --redirect -d design.customerwebsite.com

Here is the code for my NGINX conf file of customerwebsite.com

server
{

 server_name www.customerwebsite.com;
 return 301 $scheme://customerwebsite.com$request_uri;
}


server {

#  proxy_hide_header X-Frame-Options;

 listen       80;
 listen       443;

  server_name design.customerwebsite.com;

        ssl_certificate /etc/letsencrypt/live/design.customerwebsite.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/design.customerwebsite.com/privkey.pem;


 root /opt/bitnami/apps/myapp/dist;
  location / {
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_hide_header X-Frame-Options;
      proxy_pass http://localhost:3000;
  }

 proxy_set_header X-Forwarded-Proto $scheme;
 if ( $http_x_forwarded_proto != 'https' )
 {
    return 301 https://$host$request_uri;
 }


}

I'm successfully able to run my web app on https://design.customerwebsite.com

But the SSL certificate shows that it is pointed to app.mydomain.com and shows insecure.

My app.mydomain.com has SSL certificate from Amazon ACM which is attached via Load Balancer.

What should be the approach to solve this?

China answered 17/2, 2020 at 14:14 Comment(1)

can you provide app.domain.com ngix configuration. – Ovate 23/2, 2020 at 23:27

There are two solutions for this 1- add the ssl certs to the loadbalance: You need to request a cert with all the supported DNS names (app.mydomain.com and design.customerwebsite.com)/ and you need to manage customerwebsite.com domain with Route53. I think that is not possible in your case.

2- Do not use ssl on the load balancer: for this option, we will not terminate ssl on the load balancer, however, it will be passed to nginx to handle. Your loadbalancer configs should look like

you need to generate a new ssl cert that includes both domains


sudo certbot --nginx -n --redirect -d app.mydomain.com -d *.mydomain.com -d design.customerwebsite.com -d *.customerwebsite.com

Nginx configs

server
{
 server_name www.customerwebsite.com;
 return 301 $scheme://customerwebsite.com$request_uri;
}


server {
 listen       80 default_server;
 server_name design.customerwebsite.com;
 return 301 https://$host$request_uri;
}

server {
  listen       443 ssl default_server;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_certificate /etc/letsencrypt/live/design.customerwebsite.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/design.customerwebsite.com/privkey.pem;

  server_name design.customerwebsite.com;
  root /opt/bitnami/apps/myapp/dist;

  location / {
      resolver 127.0.0.11 ipv6=off;

      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-Proto https
      proxy_set_header X-Real-IP $remote_addr;
      proxy_hide_header X-Frame-Options;
      proxy_pass http://localhost:3000;
  }
}

Encomium answered 26/2, 2020 at 12:59 Comment(0)

I think that the elements provided to the ACM Load Balancer must match every domain on which you may receive requests. In the certificate, you should have a Subject Alternate Name containing every matching domain.

For example on stackoverflow.com, the certificate has a CN *.stackexchange.com but has that Subject Alternative Name :

DNS:*.askubuntu.com, DNS:*.blogoverflow.com, DNS:*.mathoverflow.net, DNS:*.meta.stackexchange.com, DNS:*.meta.stackoverflow.com, DNS:*.serverfault.com, DNS:*.sstatic.net, DNS:*.stackexchange.com, DNS:*.stackoverflow.com, DNS:*.stackoverflow.email, DNS:*.superuser.com, DNS:askubuntu.com, DNS:blogoverflow.com, DNS:mathoverflow.net, DNS:openid.stackauth.com, DNS:serverfault.com, DNS:sstatic.net, DNS:stackapps.com, DNS:stackauth.com, DNS:stackexchange.com, DNS:stackoverflow.blog, DNS:stackoverflow.com, DNS:stackoverflow.email, DNS:stacksnippets.net, DNS:superuser.com

Lefton answered 25/2, 2020 at 15:0 Comment(1)

Any idea on how to implement this programmatically? – China 3/3, 2020 at 6:32

you're forgetting some details ... you have to do a configuration for the domain

/////// app.myDominio.com ////////

just as you did for the normal domain and also create SSL only for this domain. You can use the let script. Configure a path for the NGINX LOG so you can check for errors that NGINX detects.

You can also use it in the NGINX settings * .domain.com (where * means app, maybe it detects)

Druggist answered 26/2, 2020 at 22:35 Comment(0)

Recommended topics

Hot tags