我通过openresty使用lua并设置环境变量来动态设置域名.我有:
user www-data;
worker_processes auto;
pid /run/Nginx.pid;
events {
worker_connections 768;
}
env MYDOMAIN;
http {
server {
listen 80;
listen 443 ssl;
set_by_lua $MYDOMAIN 'return os.getenv("MYDOMAIN")';
server_name $MYDOMAIN www.$MYDOMAIN;
location / {
proxy_pass http://127.0.0.1:5000;
index index.html index.htm;
}
ssl_certificate /etc/letsencrypt/live/$MYDOMAIN/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$MYDOMAIN/privkey.pem;
}
}
Nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/$MYDOMAIN/fullchain.pem") Failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/$MYDOMAIN/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
设置server_name工作正常,但在ssl_certificate和ssl_certificate_key的情况下,它的字面值为$MYDOMAIN.
解决方法:
并非每个Nginx指令都允许嵌入变量. ssl_certificate和ssl_certificate_key不支持它.
但是你可以使用ssl_certificate_by_lua_block和ngx.ssl
主要工作流程:
>在Nginx配置中指定任何有效的存根证书.
>按照ngx.ssl synopsis,它需要一些证书格式转换.
使用os.getenv(“MYDOMAIN”)构建文件路径以打开并读取证书.文件内容.
>缓存转换后的密钥,以避免在每次请求时对同一域进行文件读取和转换.
You can always use libraries like lua-resty-lrucache and/or ngx_lua
APIs like lua_shared_dict to do the caching of the DER-formatted
results, for example.
