Mercurial > hg > nginx-site
annotate xml/en/docs/http/configuring_https_servers.xml @ 2040:093855e77388
Updated info about SNI.
| author | Yaroslav Zhuravlev <yar@nginx.com> |
|---|---|
| date | Thu, 07 Sep 2017 17:13:47 +0300 |
| parents | 40e461a34187 |
| children | aac9e462320b |
| rev | line source |
|---|---|
|
580
be54c443235a
Added copyright markers to documentation sources.
Ruslan Ermilov <ru@nginx.com>
parents:
490
diff
changeset
|
1 <!-- |
|
be54c443235a
Added copyright markers to documentation sources.
Ruslan Ermilov <ru@nginx.com>
parents:
490
diff
changeset
|
2 Copyright (C) Igor Sysoev |
|
be54c443235a
Added copyright markers to documentation sources.
Ruslan Ermilov <ru@nginx.com>
parents:
490
diff
changeset
|
3 Copyright (C) Nginx, Inc. |
|
be54c443235a
Added copyright markers to documentation sources.
Ruslan Ermilov <ru@nginx.com>
parents:
490
diff
changeset
|
4 --> |
|
be54c443235a
Added copyright markers to documentation sources.
Ruslan Ermilov <ru@nginx.com>
parents:
490
diff
changeset
|
5 |
| 50 | 6 <!DOCTYPE article SYSTEM "../../../../dtd/article.dtd"> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
7 |
|
123
7db449e89e92
Unified the use of the "name" attribute instead of "title".
Ruslan Ermilov <ru@nginx.com>
parents:
121
diff
changeset
|
8 <article name="Configuring HTTPS servers" |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
9 link="/en/docs/http/configuring_https_servers.html" |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
10 lang="en" |
|
2040
093855e77388
Updated info about SNI.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1757
diff
changeset
|
11 rev="12" |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
12 author="Igor Sysoev" |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
13 editor="Brian Mercer"> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
14 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
15 <section> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
16 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
17 <para> |
|
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
18 To configure an HTTPS server, the <literal>ssl</literal> parameter |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
19 must be enabled on |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
20 <link doc="ngx_http_core_module.xml" id="listen">listening sockets</link> |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
21 in the <link doc="ngx_http_core_module.xml" id="server"/> block, |
|
1733
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
22 and the locations of the |
|
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
23 <link doc="ngx_http_ssl_module.xml" id="ssl_certificate">server certificate</link> |
|
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
24 and |
|
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
25 <link doc="ngx_http_ssl_module.xml" id="ssl_certificate_key">private key</link> |
|
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
26 files should be specified: |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
27 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
28 <programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
29 server { |
|
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
30 listen 443 <b>ssl</b>; |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
31 server_name www.example.com; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
32 ssl_certificate <b>www.example.com.crt</b>; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
33 ssl_certificate_key <b>www.example.com.key</b>; |
|
1411
8fe28c6edaa1
Removed SSLv3 from ssl_protocols parameters list as insecure example.
Sergey Budnevitch <sb@waeme.net>
parents:
1144
diff
changeset
|
34 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
35 ssl_ciphers HIGH:!aNULL:!MD5; |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
36 ... |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
37 } |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
38 </programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
39 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
40 The server certificate is a public entity. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
41 It is sent to every client that connects to the server. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
42 The private key is a secure entity and should be stored in a file with |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
43 restricted access, however, it must be readable by nginx’s master process. |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
44 The private key may alternately be stored in the same file as the certificate: |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
45 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
46 <programlisting> |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
47 ssl_certificate www.example.com.cert; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
48 ssl_certificate_key www.example.com.cert; |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
49 </programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
50 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
51 in which case the file access rights should also be restricted. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
52 Although the certificate and the key are stored in one file, |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
53 only the certificate is sent to a client. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
54 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
55 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
56 <para> |
| 271 | 57 The directives <link doc="ngx_http_ssl_module.xml" id="ssl_protocols"/> and |
| 58 <link doc="ngx_http_ssl_module.xml" id="ssl_ciphers"/> | |
| 59 can be used to limit connections | |
| 56 | 60 to include only the strong versions and ciphers of SSL/TLS. |
|
1499
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
61 By default nginx uses |
|
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
62 “<literal>ssl_protocols TLSv1 TLSv1.1 TLSv1.2</literal>” |
|
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
63 and “<literal>ssl_ciphers HIGH:!aNULL:!MD5</literal>”, |
|
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
64 so configuring them explicitly is generally not needed. |
|
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
65 Note that default values of these directives were |
|
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
66 <link id="compatibility">changed</link> several times. |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
67 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
68 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
69 </section> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
70 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
71 |
|
121
49443032011c
Unified <section> syntax for "article" and "module" documents.
Ruslan Ermilov <ru@nginx.com>
parents:
98
diff
changeset
|
72 <section id="optimization" name="HTTPS server optimization"> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
73 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
74 <para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
75 SSL operations consume extra CPU resources. |
|
1733
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
76 On multi-processor systems several |
|
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
77 <link doc="../ngx_core_module.xml" id="worker_processes">worker processes</link> |
|
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
78 should be run, |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
79 no less than the number of available CPU cores. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
80 The most CPU-intensive operation is the SSL handshake. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
81 There are two ways to minimize the number of these operations per client: |
|
1733
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
82 the first is by enabling |
|
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
83 <link doc="ngx_http_core_module.xml" id="keepalive_timeout">keepalive</link> |
|
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
84 connections to send several |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
85 requests via one connection and the second is to reuse SSL session |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
86 parameters to avoid SSL handshakes for parallel and subsequent connections. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
87 The sessions are stored in an SSL session cache shared between workers |
| 271 | 88 and configured by the |
| 89 <link doc="ngx_http_ssl_module.xml" id="ssl_session_cache"/> | |
| 90 directive. | |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
91 One megabyte of the cache contains about 4000 sessions. |
| 271 | 92 The default cache timeout is 5 minutes. |
| 93 It can be increased by using the | |
| 94 <link doc="ngx_http_ssl_module.xml" id="ssl_session_timeout"/> | |
| 95 directive. | |
|
817
4fecf0715bbf
Introducing "worker_processes auto" in SSL configuration examples.
Andrei Belov <defan@nginx.com>
parents:
801
diff
changeset
|
96 Here is a sample configuration optimized for a multi-core system |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
97 with 10 megabyte shared session cache: |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
98 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
99 <programlisting> |
|
817
4fecf0715bbf
Introducing "worker_processes auto" in SSL configuration examples.
Andrei Belov <defan@nginx.com>
parents:
801
diff
changeset
|
100 <b>worker_processes auto</b>; |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
101 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
102 http { |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
103 <b>ssl_session_cache shared:SSL:10m</b>; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
104 <b>ssl_session_timeout 10m</b>; |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
105 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
106 server { |
|
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
107 listen 443 ssl; |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
108 server_name www.example.com; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
109 <b>keepalive_timeout 70</b>; |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
110 |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
111 ssl_certificate www.example.com.crt; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
112 ssl_certificate_key www.example.com.key; |
|
1411
8fe28c6edaa1
Removed SSLv3 from ssl_protocols parameters list as insecure example.
Sergey Budnevitch <sb@waeme.net>
parents:
1144
diff
changeset
|
113 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
114 ssl_ciphers HIGH:!aNULL:!MD5; |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
115 ... |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
116 </programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
117 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
118 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
119 </section> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
120 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
121 |
|
121
49443032011c
Unified <section> syntax for "article" and "module" documents.
Ruslan Ermilov <ru@nginx.com>
parents:
98
diff
changeset
|
122 <section id="chains" name="SSL certificate chains"> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
123 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
124 <para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
125 Some browsers may complain about a certificate signed by a well-known |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
126 certificate authority, while other browsers may accept the certificate |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
127 without issues. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
128 This occurs because the issuing authority has signed the server certificate |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
129 using an intermediate certificate that is not present in the certificate |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
130 base of well-known trusted certificate authorities which is distributed |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
131 with a particular browser. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
132 In this case the authority provides a bundle of chained certificates |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
133 which should be concatenated to the signed server certificate. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
134 The server certificate must appear before the chained certificates |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
135 in the combined file: |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
136 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
137 <programlisting> |
|
490
9913f1d51c07
Replaced "nginx" domain names with example domains.
Ruslan Ermilov <ru@nginx.com>
parents:
461
diff
changeset
|
138 $ cat www.example.com.crt bundle.crt > www.example.com.chained.crt |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
139 </programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
140 |
| 271 | 141 The resulting file should be used in the |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
142 <link doc="ngx_http_ssl_module.xml" id="ssl_certificate"/> directive: |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
143 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
144 <programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
145 server { |
|
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
146 listen 443 ssl; |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
147 server_name www.example.com; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
148 ssl_certificate www.example.com.chained.crt; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
149 ssl_certificate_key www.example.com.key; |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
150 ... |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
151 } |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
152 </programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
153 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
154 If the server certificate and the bundle have been concatenated in the wrong |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
155 order, nginx will fail to start and will display the error message: |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
156 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
157 <programlisting> |
|
490
9913f1d51c07
Replaced "nginx" domain names with example domains.
Ruslan Ermilov <ru@nginx.com>
parents:
461
diff
changeset
|
158 SSL_CTX_use_PrivateKey_file(" ... /www.example.com.key") failed |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
159 (SSL: error:0B080074:x509 certificate routines: |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
160 X509_check_private_key:key values mismatch) |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
161 </programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
162 |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
163 because nginx has tried to use the private key with the bundle’s |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
164 first certificate instead of the server certificate. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
165 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
166 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
167 <para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
168 Browsers usually store intermediate certificates which they receive |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
169 and which are signed by trusted authorities, so actively used browsers |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
170 may already have the required intermediate certificates and |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
171 may not complain about a certificate sent without a chained bundle. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
172 To ensure the server sends the complete certificate chain, |
|
659
77a3314c74a7
Avoid the uses of second person.
Ruslan Ermilov <ru@nginx.com>
parents:
658
diff
changeset
|
173 the <command>openssl</command> command-line utility may be used, for example: |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
174 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
175 <programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
176 $ openssl s_client -connect www.godaddy.com:443 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
177 ... |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
178 Certificate chain |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
179 0 s:/C=US/ST=Arizona/L=Scottsdale/1.3.6.1.4.1.311.60.2.1.3=US |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
180 /1.3.6.1.4.1.311.60.2.1.2=AZ/O=GoDaddy.com, Inc |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
181 /OU=MIS Department/<b>CN=www.GoDaddy.com</b> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
182 /serialNumber=0796928-7/2.5.4.15=V1.0, Clause 5.(b) |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
183 i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
184 /OU=http://certificates.godaddy.com/repository |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
185 /CN=Go Daddy Secure Certification Authority |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
186 /serialNumber=07969287 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
187 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
188 /OU=http://certificates.godaddy.com/repository |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
189 /CN=Go Daddy Secure Certification Authority |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
190 /serialNumber=07969287 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
191 i:/C=US/O=The Go Daddy Group, Inc. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
192 /OU=Go Daddy Class 2 Certification Authority |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
193 2 s:/C=US/O=The Go Daddy Group, Inc. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
194 /OU=Go Daddy Class 2 Certification Authority |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
195 i:/L=ValiCert Validation Network/O=<b>ValiCert, Inc.</b> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
196 /OU=ValiCert Class 2 Policy Validation Authority |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
197 /CN=http://www.valicert.com//emailAddress=info@valicert.com |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
198 ... |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
199 </programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
200 |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
201 In this example the subject (“<i>s</i>”) of the |
|
593
130fad6dc1b4
Replaced the uses of "url" element with "literal".
Ruslan Ermilov <ru@nginx.com>
parents:
589
diff
changeset
|
202 <literal>www.GoDaddy.com</literal> server certificate #0 is signed by an issuer |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
203 (“<i>i</i>”) which itself is the subject of the certificate #1, |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
204 which is signed by an issuer which itself is the subject of the certificate #2, |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
205 which signed by the well-known issuer <i>ValiCert, Inc.</i> |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
206 whose certificate is stored in the browsers’ built-in |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
207 certificate base (that lay in the house that Jack built). |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
208 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
209 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
210 <para> |
|
659
77a3314c74a7
Avoid the uses of second person.
Ruslan Ermilov <ru@nginx.com>
parents:
658
diff
changeset
|
211 If a certificate bundle has not been added, only the server certificate #0 |
|
77a3314c74a7
Avoid the uses of second person.
Ruslan Ermilov <ru@nginx.com>
parents:
658
diff
changeset
|
212 will be shown. |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
213 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
214 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
215 </section> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
216 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
217 |
|
121
49443032011c
Unified <section> syntax for "article" and "module" documents.
Ruslan Ermilov <ru@nginx.com>
parents:
98
diff
changeset
|
218 <section id="single_http_https_server" name="A single HTTP/HTTPS server"> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
219 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
220 <para> |
|
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
221 It is possible to configure a single server that handles both HTTP |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
222 and HTTPS requests: |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
223 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
224 <programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
225 server { |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
226 listen 80; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
227 listen 443 ssl; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
228 server_name www.example.com; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
229 ssl_certificate www.example.com.crt; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
230 ssl_certificate_key www.example.com.key; |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
231 ... |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
232 } |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
233 </programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
234 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
235 <note> |
|
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
236 Prior to 0.7.14 SSL could not be enabled selectively for |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
237 individual listening sockets, as shown above. |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
238 SSL could only be enabled for the entire server using the |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
239 <link doc="ngx_http_ssl_module.xml" id="ssl"/> directive, |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
240 making it impossible to set up a single HTTP/HTTPS server. |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
241 The <literal>ssl</literal> parameter of the |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
242 <link doc="ngx_http_core_module.xml" id="listen"/> directive |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
243 was added to solve this issue. |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
244 The use of the |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
245 <link doc="ngx_http_ssl_module.xml" id="ssl"/> directive |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
246 in modern versions is thus discouraged. |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
247 </note> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
248 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
249 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
250 </section> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
251 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
252 |
|
121
49443032011c
Unified <section> syntax for "article" and "module" documents.
Ruslan Ermilov <ru@nginx.com>
parents:
98
diff
changeset
|
253 <section id="name_based_https_servers" name="Name-based HTTPS servers"> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
254 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
255 <para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
256 A common issue arises when configuring two or more HTTPS servers |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
257 listening on a single IP address: |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
258 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
259 <programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
260 server { |
|
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
261 listen 443 ssl; |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
262 server_name www.example.com; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
263 ssl_certificate www.example.com.crt; |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
264 ... |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
265 } |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
266 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
267 server { |
|
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
268 listen 443 ssl; |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
269 server_name www.example.org; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
270 ssl_certificate www.example.org.crt; |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
271 ... |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
272 } |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
273 </programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
274 |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
275 With this configuration a browser receives the default server’s certificate, |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
276 i.e. <literal>www.example.com</literal> regardless of the requested server name. |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
277 This is caused by SSL protocol behaviour. |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
278 The SSL connection is established before the browser sends an HTTP request |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
279 and nginx does not know the name of the requested server. |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
280 Therefore, it may only offer the default server’s certificate. |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
281 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
282 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
283 <para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
284 The oldest and most robust method to resolve the issue |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
285 is to assign a separate IP address for every HTTPS server: |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
286 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
287 <programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
288 server { |
|
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
289 listen 192.168.1.1:443 ssl; |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
290 server_name www.example.com; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
291 ssl_certificate www.example.com.crt; |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
292 ... |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
293 } |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
294 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
295 server { |
|
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
296 listen 192.168.1.2:443 ssl; |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
297 server_name www.example.org; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
298 ssl_certificate www.example.org.crt; |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
299 ... |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
300 } |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
301 </programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
302 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
303 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
304 |
|
121
49443032011c
Unified <section> syntax for "article" and "module" documents.
Ruslan Ermilov <ru@nginx.com>
parents:
98
diff
changeset
|
305 <section id="certificate_with_several_names" |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
306 name="An SSL certificate with several names"> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
307 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
308 <para> |
|
1144
ac131944d349
Changed infinitive to gerund after "allow".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
817
diff
changeset
|
309 There are other ways that allow sharing a single IP address |
|
782
2ceaef0e84a1
Added a phrase about wildcard certificates into the English version of
Ruslan Ermilov <ru@nginx.com>
parents:
661
diff
changeset
|
310 between several HTTPS servers. |
|
2ceaef0e84a1
Added a phrase about wildcard certificates into the English version of
Ruslan Ermilov <ru@nginx.com>
parents:
661
diff
changeset
|
311 However, all of them have their drawbacks. |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
312 One way is to use a certificate with several names in |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
313 the SubjectAltName certificate field, for example, |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
314 <literal>www.example.com</literal> and <literal>www.example.org</literal>. |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
315 However, the SubjectAltName field length is limited. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
316 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
317 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
318 <para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
319 Another way is to use a certificate with a wildcard name, for example, |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
320 <literal>*.example.org</literal>. |
|
782
2ceaef0e84a1
Added a phrase about wildcard certificates into the English version of
Ruslan Ermilov <ru@nginx.com>
parents:
661
diff
changeset
|
321 A wildcard certificate secures all subdomains of the specified domain, |
|
2ceaef0e84a1
Added a phrase about wildcard certificates into the English version of
Ruslan Ermilov <ru@nginx.com>
parents:
661
diff
changeset
|
322 but only on one level. |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
323 This certificate matches <literal>www.example.org</literal>, but does not match |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
324 <literal>example.org</literal> and <literal>www.sub.example.org</literal>. |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
325 These two methods can also be combined. |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
326 A certificate may contain exact and wildcard names in the |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
327 SubjectAltName field, for example, |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
328 <literal>example.org</literal> and <literal>*.example.org</literal>. |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
329 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
330 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
331 <para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
332 It is better to place a certificate file with several names and |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
333 its private key file at the <i>http</i> level of configuration |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
334 to inherit their single memory copy in all servers: |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
335 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
336 <programlisting> |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
337 ssl_certificate common.crt; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
338 ssl_certificate_key common.key; |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
339 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
340 server { |
|
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
341 listen 443 ssl; |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
342 server_name www.example.com; |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
343 ... |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
344 } |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
345 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
346 server { |
|
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
347 listen 443 ssl; |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
348 server_name www.example.org; |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
349 ... |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
350 } |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
351 </programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
352 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
353 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
354 </section> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
355 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
356 |
|
121
49443032011c
Unified <section> syntax for "article" and "module" documents.
Ruslan Ermilov <ru@nginx.com>
parents:
98
diff
changeset
|
357 <section id="sni" name="Server Name Indication"> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
358 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
359 <para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
360 A more generic solution for running several HTTPS servers on a single |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
361 IP address is |
|
661
e1579b244800
SNI: expressed more clearly that passing of literal IP addresses in
Ruslan Ermilov <ru@nginx.com>
parents:
660
diff
changeset
|
362 <link url="http://en.wikipedia.org/wiki/Server_Name_Indication">TLS |
|
e1579b244800
SNI: expressed more clearly that passing of literal IP addresses in
Ruslan Ermilov <ru@nginx.com>
parents:
660
diff
changeset
|
363 Server Name Indication extension</link> (SNI, RFC 6066), |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
364 which allows a browser to pass a requested server name during the SSL handshake |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
365 and, therefore, the server will know which certificate it should use |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
366 for the connection. |
|
2040
093855e77388
Updated info about SNI.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1757
diff
changeset
|
367 SNI is currently |
|
093855e77388
Updated info about SNI.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1757
diff
changeset
|
368 <link url="http://en.wikipedia.org/wiki/Server_Name_Indication#Support">supported</link> |
|
093855e77388
Updated info about SNI.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1757
diff
changeset
|
369 by most modern browsers, though may not be used by some old or special clients. |
|
658
bd81a71006fe
Documented that most browsers won't pass an IP address
Ruslan Ermilov <ru@nginx.com>
parents:
593
diff
changeset
|
370 <note> |
|
661
e1579b244800
SNI: expressed more clearly that passing of literal IP addresses in
Ruslan Ermilov <ru@nginx.com>
parents:
660
diff
changeset
|
371 Only domain names can be passed in SNI, |
|
e1579b244800
SNI: expressed more clearly that passing of literal IP addresses in
Ruslan Ermilov <ru@nginx.com>
parents:
660
diff
changeset
|
372 however some browsers may erroneously pass an IP address of the server |
|
e1579b244800
SNI: expressed more clearly that passing of literal IP addresses in
Ruslan Ermilov <ru@nginx.com>
parents:
660
diff
changeset
|
373 as its name if a request includes literal IP address. |
|
e1579b244800
SNI: expressed more clearly that passing of literal IP addresses in
Ruslan Ermilov <ru@nginx.com>
parents:
660
diff
changeset
|
374 One should not rely on this. |
|
658
bd81a71006fe
Documented that most browsers won't pass an IP address
Ruslan Ermilov <ru@nginx.com>
parents:
593
diff
changeset
|
375 </note> |
|
bd81a71006fe
Documented that most browsers won't pass an IP address
Ruslan Ermilov <ru@nginx.com>
parents:
593
diff
changeset
|
376 </para> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
377 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
378 <para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
379 In order to use SNI in nginx, it must be supported in both the |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
380 OpenSSL library with which the nginx binary has been built as well as |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
381 the library to which it is being dynamically linked at run time. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
382 OpenSSL supports SNI since 0.9.8f version if it was built with config option |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
383 <nobr>“--enable-tlsext”.</nobr> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
384 Since OpenSSL 0.9.8j this option is enabled by default. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
385 If nginx was built with SNI support, then nginx will show this |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
386 when run with the “-V” switch: |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
387 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
388 <programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
389 $ nginx -V |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
390 ... |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
391 TLS SNI support enabled |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
392 ... |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
393 </programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
394 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
395 However, if the SNI-enabled nginx is linked dynamically to |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
396 an OpenSSL library without SNI support, nginx displays the warning: |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
397 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
398 <programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
399 nginx was built with SNI support, however, now it is linked |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
400 dynamically to an OpenSSL library which has no tlsext support, |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
401 therefore SNI is not available |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
402 </programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
403 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
404 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
405 </section> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
406 |
|
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
407 </section> |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
408 |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
409 |
|
121
49443032011c
Unified <section> syntax for "article" and "module" documents.
Ruslan Ermilov <ru@nginx.com>
parents:
98
diff
changeset
|
410 <section id="compatibility" name="Compatibility"> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
411 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
412 <para> |
| 461 | 413 <list type="bullet"> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
414 |
| 461 | 415 <listitem> |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
416 The SNI support status has been shown by the “-V” switch |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
417 since 0.8.21 and 0.7.62. |
| 461 | 418 </listitem> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
419 |
| 461 | 420 <listitem> |
| 271 | 421 The <literal>ssl</literal> parameter of the |
| 422 <link doc="ngx_http_core_module.xml" id="listen"/> | |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
423 directive has been supported since 0.7.14. |
|
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
424 Prior to 0.8.21 it could only be specified along with the |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
425 <literal>default</literal> parameter. |
| 461 | 426 </listitem> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
427 |
| 461 | 428 <listitem> |
|
1757
40e461a34187
Fixed a typo in nginx version number.
Valentin Bartenev <vbart@nginx.com>
parents:
1733
diff
changeset
|
429 SNI has been supported since 0.5.23. |
| 461 | 430 </listitem> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
431 |
| 461 | 432 <listitem> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
433 The shared SSL session cache has been supported since 0.5.6. |
| 461 | 434 </listitem> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
435 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
436 </list> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
437 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
438 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
439 <para> |
| 461 | 440 <list type="bullet"> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
441 |
| 461 | 442 <listitem> |
|
1499
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
443 Version 1.9.1 and later: the default SSL protocols are TLSv1, |
|
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
444 TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library). |
|
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
445 </listitem> |
|
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
446 |
|
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
447 <listitem> |
|
314
95d5dc7c9884
Documented the new "TLSv1.1" and "TLSv1.2" parameters of the
Ruslan Ermilov <ru@nginx.com>
parents:
271
diff
changeset
|
448 Version 0.7.65, 0.8.19 and later: the default SSL protocols are SSLv3, TLSv1, |
|
95d5dc7c9884
Documented the new "TLSv1.1" and "TLSv1.2" parameters of the
Ruslan Ermilov <ru@nginx.com>
parents:
271
diff
changeset
|
449 TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library). |
| 461 | 450 </listitem> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
451 |
| 461 | 452 <listitem> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
453 Version 0.7.64, 0.8.18 and earlier: the default SSL protocols are SSLv2, |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
454 SSLv3, and TLSv1. |
| 461 | 455 </listitem> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
456 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
457 </list> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
458 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
459 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
460 <para> |
| 461 | 461 <list type="bullet"> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
462 |
| 461 | 463 <listitem> |
|
43
662995d3e647
Update of SSL ciphers in latest nginx versions.
Igor Sysoev <igor@sysoev.ru>
parents:
42
diff
changeset
|
464 Version 1.0.5 and later: the default SSL ciphers are |
| 271 | 465 “<literal>HIGH:!aNULL:!MD5</literal>”. |
| 461 | 466 </listitem> |
|
43
662995d3e647
Update of SSL ciphers in latest nginx versions.
Igor Sysoev <igor@sysoev.ru>
parents:
42
diff
changeset
|
467 |
| 461 | 468 <listitem> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
469 Version 0.7.65, 0.8.20 and later: the default SSL ciphers are |
| 271 | 470 “<literal>HIGH:!ADH:!MD5</literal>”. |
| 461 | 471 </listitem> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
472 |
| 461 | 473 <listitem> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
474 Version 0.8.19: the default SSL ciphers are |
| 271 | 475 “<literal>ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM</literal>”. |
| 461 | 476 </listitem> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
477 |
| 461 | 478 <listitem> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
479 Version 0.7.64, 0.8.18 and earlier: the default SSL ciphers are<br/> |
| 271 | 480 “<literal>ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</literal>”. |
| 461 | 481 </listitem> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
482 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
483 </list> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
484 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
485 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
486 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
487 </section> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
488 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
489 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
490 </article> |