Why I Love Wildcard SSL with NGINX
Instant HTTPS for Any Subdomain
I can spin up a new app at foo.mydomain.com in seconds. No DNS hassle, no cert dance. Just drop a new NGINX config and reload:
server {
listen 443 ssl;
server_name ~^(?<subdomain>.+)\.mydomain\.com$;
ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
location / {
proxy_pass http://localhost:PORT;
}
}
Privacy: Hidden in Plain Sight
Wildcard DNS means no public listing of subdomains.
- No
.well-knownenumeration for every app - Nothing leaked in cert transparency logs
- DNS-only wildcard keeps it silent (especially with self-hosted DNS)
Why It Matters
- Fast prototyping — new idea, new subdomain, 1 min deploy
- Stealth — security by obscurity isn’t perfect, but it helps
- Sovereign HTTPS — no third-party dashboards, no limits
- Automation-friendly — auto-renewal with
certbotoracme.sh
Example: Certbot DNS Challenge
certbot certonly \
--manual \
--preferred-challenges dns \
--email you@domain.com \
--server https://acme-v02.api.letsencrypt.org/directory \
-d "*.mydomain.com"
Paired with
nsupdateor Porkbun API, you can automate it fully.
Wildcard + NGINX = Sovereign, Secure, Scalable