amazon-web-services nginx ssl-certificate multi-tenant aws-acm

How to handle SSL certificates for implementing WhiteLabel option in a web app running on NGINX server

I'm working on a Web App.

My app runs on the subdomain app.mydomain.com

I need to WhiteLabel my app. I'm asking my Customers to point to their own website via CNAME to my app.

design.customerwebsite.com points to app.mydomain.com

Here is what I have tried to solve this.

I created a new file in /etc/nginx/sites-available named customerwebsite.com Added a symlink to the file.

I installed SSL using certbot with the below command.

sudo certbot --nginx -n --redirect -d design.customerwebsite.com

Here is the code for my NGINX conf file of customerwebsite.com

server
{

 server_name www.customerwebsite.com;
 return 301 $scheme://customerwebsite.com$request_uri;
}


server {

#  proxy_hide_header X-Frame-Options;

 listen       80;
 listen       443;

  server_name design.customerwebsite.com;

        ssl_certificate /etc/letsencrypt/live/design.customerwebsite.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/design.customerwebsite.com/privkey.pem;


 root /opt/bitnami/apps/myapp/dist;
  location / {
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_hide_header X-Frame-Options;
      proxy_pass http://localhost:3000;
  }

 proxy_set_header X-Forwarded-Proto $scheme;
 if ( $http_x_forwarded_proto != 'https' )
 {
    return 301 https://$host$request_uri;
 }


}

I'm successfully able to run my web app on https://design.customerwebsite.com

But the SSL certificate shows that it is pointed to app.mydomain.com and shows insecure.

My app.mydomain.com has SSL certificate from Amazon ACM which is attached via Load Balancer.

What should be the approach to solve this?

Solution

There are two solutions for this 1- add the ssl certs to the loadbalance: You need to request a cert with all the supported DNS names (app.mydomain.com and design.customerwebsite.com)/ and you need to manage customerwebsite.com domain with Route53. I think that is not possible in your case.

2- Do not use ssl on the load balancer: for this option, we will not terminate ssl on the load balancer, however, it will be passed to nginx to handle. Your loadbalancer configs should look like

you need to generate a new ssl cert that includes both domains


sudo certbot --nginx -n --redirect -d app.mydomain.com -d *.mydomain.com -d design.customerwebsite.com -d *.customerwebsite.com

Nginx configs

server
{
 server_name www.customerwebsite.com;
 return 301 $scheme://customerwebsite.com$request_uri;
}


server {
 listen       80 default_server;
 server_name design.customerwebsite.com;
 return 301 https://$host$request_uri;
}

server {
  listen       443 ssl default_server;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_certificate /etc/letsencrypt/live/design.customerwebsite.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/design.customerwebsite.com/privkey.pem;

  server_name design.customerwebsite.com;
  root /opt/bitnami/apps/myapp/dist;

  location / {
      resolver 127.0.0.11 ipv6=off;

      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-Proto https
      proxy_set_header X-Real-IP $remote_addr;
      proxy_hide_header X-Frame-Options;
      proxy_pass http://localhost:3000;
  }
}