Mercurial > hg > nginx-site
annotate xml/en/docs/http/configuring_https_servers.xml @ 3090:27532d42102b default tip
Documented the "rate" parameter of the "error_log" directive.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Sun, 16 Jun 2024 06:55:30 +0300 |
| parents | 37e082fd009c |
| children |
| rev | line source |
|---|---|
|
580
be54c443235a
Added copyright markers to documentation sources.
Ruslan Ermilov <ru@nginx.com>
parents:
490
diff
changeset
|
1 <!-- |
|
be54c443235a
Added copyright markers to documentation sources.
Ruslan Ermilov <ru@nginx.com>
parents:
490
diff
changeset
|
2 Copyright (C) Igor Sysoev |
|
be54c443235a
Added copyright markers to documentation sources.
Ruslan Ermilov <ru@nginx.com>
parents:
490
diff
changeset
|
3 Copyright (C) Nginx, Inc. |
|
be54c443235a
Added copyright markers to documentation sources.
Ruslan Ermilov <ru@nginx.com>
parents:
490
diff
changeset
|
4 --> |
|
be54c443235a
Added copyright markers to documentation sources.
Ruslan Ermilov <ru@nginx.com>
parents:
490
diff
changeset
|
5 |
| 50 | 6 <!DOCTYPE article SYSTEM "../../../../dtd/article.dtd"> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
7 |
|
123
7db449e89e92
Unified the use of the "name" attribute instead of "title".
Ruslan Ermilov <ru@nginx.com>
parents:
121
diff
changeset
|
8 <article name="Configuring HTTPS servers" |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
9 link="/en/docs/http/configuring_https_servers.html" |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
10 lang="en" |
|
2948
37e082fd009c
Added TLSv1.3 to the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2061
diff
changeset
|
11 rev="14" |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
12 author="Igor Sysoev" |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
13 editor="Brian Mercer"> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
14 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
15 <section> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
16 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
17 <para> |
|
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
18 To configure an HTTPS server, the <literal>ssl</literal> parameter |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
19 must be enabled on |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
20 <link doc="ngx_http_core_module.xml" id="listen">listening sockets</link> |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
21 in the <link doc="ngx_http_core_module.xml" id="server"/> block, |
|
1733
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
22 and the locations of the |
|
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
23 <link doc="ngx_http_ssl_module.xml" id="ssl_certificate">server certificate</link> |
|
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
24 and |
|
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
25 <link doc="ngx_http_ssl_module.xml" id="ssl_certificate_key">private key</link> |
|
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
26 files should be specified: |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
27 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
28 <programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
29 server { |
|
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
30 listen 443 <b>ssl</b>; |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
31 server_name www.example.com; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
32 ssl_certificate <b>www.example.com.crt</b>; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
33 ssl_certificate_key <b>www.example.com.key</b>; |
|
2948
37e082fd009c
Added TLSv1.3 to the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2061
diff
changeset
|
34 ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
35 ssl_ciphers HIGH:!aNULL:!MD5; |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
36 ... |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
37 } |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
38 </programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
39 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
40 The server certificate is a public entity. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
41 It is sent to every client that connects to the server. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
42 The private key is a secure entity and should be stored in a file with |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
43 restricted access, however, it must be readable by nginx’s master process. |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
44 The private key may alternately be stored in the same file as the certificate: |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
45 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
46 <programlisting> |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
47 ssl_certificate www.example.com.cert; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
48 ssl_certificate_key www.example.com.cert; |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
49 </programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
50 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
51 in which case the file access rights should also be restricted. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
52 Although the certificate and the key are stored in one file, |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
53 only the certificate is sent to a client. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
54 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
55 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
56 <para> |
| 271 | 57 The directives <link doc="ngx_http_ssl_module.xml" id="ssl_protocols"/> and |
| 58 <link doc="ngx_http_ssl_module.xml" id="ssl_ciphers"/> | |
| 59 can be used to limit connections | |
| 56 | 60 to include only the strong versions and ciphers of SSL/TLS. |
|
1499
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
61 By default nginx uses |
|
2948
37e082fd009c
Added TLSv1.3 to the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2061
diff
changeset
|
62 “<literal>ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</literal>” |
|
1499
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
63 and “<literal>ssl_ciphers HIGH:!aNULL:!MD5</literal>”, |
|
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
64 so configuring them explicitly is generally not needed. |
|
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
65 Note that default values of these directives were |
|
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
66 <link id="compatibility">changed</link> several times. |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
67 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
68 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
69 </section> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
70 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
71 |
|
121
49443032011c
Unified <section> syntax for "article" and "module" documents.
Ruslan Ermilov <ru@nginx.com>
parents:
98
diff
changeset
|
72 <section id="optimization" name="HTTPS server optimization"> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
73 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
74 <para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
75 SSL operations consume extra CPU resources. |
|
1733
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
76 On multi-processor systems several |
|
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
77 <link doc="../ngx_core_module.xml" id="worker_processes">worker processes</link> |
|
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
78 should be run, |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
79 no less than the number of available CPU cores. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
80 The most CPU-intensive operation is the SSL handshake. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
81 There are two ways to minimize the number of these operations per client: |
|
1733
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
82 the first is by enabling |
|
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
83 <link doc="ngx_http_core_module.xml" id="keepalive_timeout">keepalive</link> |
|
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
84 connections to send several |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
85 requests via one connection and the second is to reuse SSL session |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
86 parameters to avoid SSL handshakes for parallel and subsequent connections. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
87 The sessions are stored in an SSL session cache shared between workers |
| 271 | 88 and configured by the |
| 89 <link doc="ngx_http_ssl_module.xml" id="ssl_session_cache"/> | |
| 90 directive. | |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
91 One megabyte of the cache contains about 4000 sessions. |
| 271 | 92 The default cache timeout is 5 minutes. |
| 93 It can be increased by using the | |
| 94 <link doc="ngx_http_ssl_module.xml" id="ssl_session_timeout"/> | |
| 95 directive. | |
|
817
4fecf0715bbf
Introducing "worker_processes auto" in SSL configuration examples.
Andrei Belov <defan@nginx.com>
parents:
801
diff
changeset
|
96 Here is a sample configuration optimized for a multi-core system |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
97 with 10 megabyte shared session cache: |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
98 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
99 <programlisting> |
|
817
4fecf0715bbf
Introducing "worker_processes auto" in SSL configuration examples.
Andrei Belov <defan@nginx.com>
parents:
801
diff
changeset
|
100 <b>worker_processes auto</b>; |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
101 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
102 http { |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
103 <b>ssl_session_cache shared:SSL:10m</b>; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
104 <b>ssl_session_timeout 10m</b>; |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
105 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
106 server { |
|
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
107 listen 443 ssl; |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
108 server_name www.example.com; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
109 <b>keepalive_timeout 70</b>; |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
110 |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
111 ssl_certificate www.example.com.crt; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
112 ssl_certificate_key www.example.com.key; |
|
2948
37e082fd009c
Added TLSv1.3 to the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2061
diff
changeset
|
113 ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
114 ssl_ciphers HIGH:!aNULL:!MD5; |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
115 ... |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
116 </programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
117 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
118 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
119 </section> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
120 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
121 |
|
121
49443032011c
Unified <section> syntax for "article" and "module" documents.
Ruslan Ermilov <ru@nginx.com>
parents:
98
diff
changeset
|
122 <section id="chains" name="SSL certificate chains"> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
123 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
124 <para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
125 Some browsers may complain about a certificate signed by a well-known |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
126 certificate authority, while other browsers may accept the certificate |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
127 without issues. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
128 This occurs because the issuing authority has signed the server certificate |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
129 using an intermediate certificate that is not present in the certificate |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
130 base of well-known trusted certificate authorities which is distributed |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
131 with a particular browser. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
132 In this case the authority provides a bundle of chained certificates |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
133 which should be concatenated to the signed server certificate. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
134 The server certificate must appear before the chained certificates |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
135 in the combined file: |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
136 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
137 <programlisting> |
|
490
9913f1d51c07
Replaced "nginx" domain names with example domains.
Ruslan Ermilov <ru@nginx.com>
parents:
461
diff
changeset
|
138 $ cat www.example.com.crt bundle.crt > www.example.com.chained.crt |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
139 </programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
140 |
| 271 | 141 The resulting file should be used in the |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
142 <link doc="ngx_http_ssl_module.xml" id="ssl_certificate"/> directive: |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
143 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
144 <programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
145 server { |
|
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
146 listen 443 ssl; |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
147 server_name www.example.com; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
148 ssl_certificate www.example.com.chained.crt; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
149 ssl_certificate_key www.example.com.key; |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
150 ... |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
151 } |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
152 </programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
153 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
154 If the server certificate and the bundle have been concatenated in the wrong |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
155 order, nginx will fail to start and will display the error message: |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
156 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
157 <programlisting> |
|
490
9913f1d51c07
Replaced "nginx" domain names with example domains.
Ruslan Ermilov <ru@nginx.com>
parents:
461
diff
changeset
|
158 SSL_CTX_use_PrivateKey_file(" ... /www.example.com.key") failed |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
159 (SSL: error:0B080074:x509 certificate routines: |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
160 X509_check_private_key:key values mismatch) |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
161 </programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
162 |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
163 because nginx has tried to use the private key with the bundle’s |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
164 first certificate instead of the server certificate. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
165 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
166 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
167 <para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
168 Browsers usually store intermediate certificates which they receive |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
169 and which are signed by trusted authorities, so actively used browsers |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
170 may already have the required intermediate certificates and |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
171 may not complain about a certificate sent without a chained bundle. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
172 To ensure the server sends the complete certificate chain, |
|
659
77a3314c74a7
Avoid the uses of second person.
Ruslan Ermilov <ru@nginx.com>
parents:
658
diff
changeset
|
173 the <command>openssl</command> command-line utility may be used, for example: |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
174 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
175 <programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
176 $ openssl s_client -connect www.godaddy.com:443 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
177 ... |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
178 Certificate chain |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
179 0 s:/C=US/ST=Arizona/L=Scottsdale/1.3.6.1.4.1.311.60.2.1.3=US |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
180 /1.3.6.1.4.1.311.60.2.1.2=AZ/O=GoDaddy.com, Inc |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
181 /OU=MIS Department/<b>CN=www.GoDaddy.com</b> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
182 /serialNumber=0796928-7/2.5.4.15=V1.0, Clause 5.(b) |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
183 i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
184 /OU=http://certificates.godaddy.com/repository |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
185 /CN=Go Daddy Secure Certification Authority |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
186 /serialNumber=07969287 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
187 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
188 /OU=http://certificates.godaddy.com/repository |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
189 /CN=Go Daddy Secure Certification Authority |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
190 /serialNumber=07969287 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
191 i:/C=US/O=The Go Daddy Group, Inc. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
192 /OU=Go Daddy Class 2 Certification Authority |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
193 2 s:/C=US/O=The Go Daddy Group, Inc. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
194 /OU=Go Daddy Class 2 Certification Authority |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
195 i:/L=ValiCert Validation Network/O=<b>ValiCert, Inc.</b> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
196 /OU=ValiCert Class 2 Policy Validation Authority |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
197 /CN=http://www.valicert.com//emailAddress=info@valicert.com |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
198 ... |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
199 </programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
200 |
|
2061
aac9e462320b
Added note about s_client and SNI (trac #708).
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2040
diff
changeset
|
201 <note> |
|
aac9e462320b
Added note about s_client and SNI (trac #708).
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2040
diff
changeset
|
202 When testing configurations with <link id="sni">SNI</link>, |
|
aac9e462320b
Added note about s_client and SNI (trac #708).
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2040
diff
changeset
|
203 it is important to specify the <literal>-servername</literal> option |
|
aac9e462320b
Added note about s_client and SNI (trac #708).
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2040
diff
changeset
|
204 as <command>openssl</command> does not use SNI by default. |
|
aac9e462320b
Added note about s_client and SNI (trac #708).
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2040
diff
changeset
|
205 </note> |
|
aac9e462320b
Added note about s_client and SNI (trac #708).
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2040
diff
changeset
|
206 |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
207 In this example the subject (“<i>s</i>”) of the |
|
593
130fad6dc1b4
Replaced the uses of "url" element with "literal".
Ruslan Ermilov <ru@nginx.com>
parents:
589
diff
changeset
|
208 <literal>www.GoDaddy.com</literal> server certificate #0 is signed by an issuer |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
209 (“<i>i</i>”) which itself is the subject of the certificate #1, |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
210 which is signed by an issuer which itself is the subject of the certificate #2, |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
211 which signed by the well-known issuer <i>ValiCert, Inc.</i> |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
212 whose certificate is stored in the browsers’ built-in |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
213 certificate base (that lay in the house that Jack built). |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
214 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
215 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
216 <para> |
|
659
77a3314c74a7
Avoid the uses of second person.
Ruslan Ermilov <ru@nginx.com>
parents:
658
diff
changeset
|
217 If a certificate bundle has not been added, only the server certificate #0 |
|
77a3314c74a7
Avoid the uses of second person.
Ruslan Ermilov <ru@nginx.com>
parents:
658
diff
changeset
|
218 will be shown. |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
219 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
220 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
221 </section> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
222 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
223 |
|
121
49443032011c
Unified <section> syntax for "article" and "module" documents.
Ruslan Ermilov <ru@nginx.com>
parents:
98
diff
changeset
|
224 <section id="single_http_https_server" name="A single HTTP/HTTPS server"> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
225 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
226 <para> |
|
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
227 It is possible to configure a single server that handles both HTTP |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
228 and HTTPS requests: |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
229 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
230 <programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
231 server { |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
232 listen 80; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
233 listen 443 ssl; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
234 server_name www.example.com; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
235 ssl_certificate www.example.com.crt; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
236 ssl_certificate_key www.example.com.key; |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
237 ... |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
238 } |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
239 </programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
240 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
241 <note> |
|
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
242 Prior to 0.7.14 SSL could not be enabled selectively for |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
243 individual listening sockets, as shown above. |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
244 SSL could only be enabled for the entire server using the |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
245 <link doc="ngx_http_ssl_module.xml" id="ssl"/> directive, |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
246 making it impossible to set up a single HTTP/HTTPS server. |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
247 The <literal>ssl</literal> parameter of the |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
248 <link doc="ngx_http_core_module.xml" id="listen"/> directive |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
249 was added to solve this issue. |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
250 The use of the |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
251 <link doc="ngx_http_ssl_module.xml" id="ssl"/> directive |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
252 in modern versions is thus discouraged. |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
253 </note> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
254 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
255 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
256 </section> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
257 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
258 |
|
121
49443032011c
Unified <section> syntax for "article" and "module" documents.
Ruslan Ermilov <ru@nginx.com>
parents:
98
diff
changeset
|
259 <section id="name_based_https_servers" name="Name-based HTTPS servers"> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
260 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
261 <para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
262 A common issue arises when configuring two or more HTTPS servers |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
263 listening on a single IP address: |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
264 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
265 <programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
266 server { |
|
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
267 listen 443 ssl; |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
268 server_name www.example.com; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
269 ssl_certificate www.example.com.crt; |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
270 ... |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
271 } |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
272 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
273 server { |
|
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
274 listen 443 ssl; |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
275 server_name www.example.org; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
276 ssl_certificate www.example.org.crt; |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
277 ... |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
278 } |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
279 </programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
280 |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
281 With this configuration a browser receives the default server’s certificate, |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
282 i.e. <literal>www.example.com</literal> regardless of the requested server name. |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
283 This is caused by SSL protocol behaviour. |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
284 The SSL connection is established before the browser sends an HTTP request |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
285 and nginx does not know the name of the requested server. |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
286 Therefore, it may only offer the default server’s certificate. |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
287 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
288 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
289 <para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
290 The oldest and most robust method to resolve the issue |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
291 is to assign a separate IP address for every HTTPS server: |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
292 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
293 <programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
294 server { |
|
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
295 listen 192.168.1.1:443 ssl; |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
296 server_name www.example.com; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
297 ssl_certificate www.example.com.crt; |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
298 ... |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
299 } |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
300 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
301 server { |
|
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
302 listen 192.168.1.2:443 ssl; |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
303 server_name www.example.org; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
304 ssl_certificate www.example.org.crt; |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
305 ... |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
306 } |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
307 </programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
308 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
309 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
310 |
|
121
49443032011c
Unified <section> syntax for "article" and "module" documents.
Ruslan Ermilov <ru@nginx.com>
parents:
98
diff
changeset
|
311 <section id="certificate_with_several_names" |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
312 name="An SSL certificate with several names"> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
313 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
314 <para> |
|
1144
ac131944d349
Changed infinitive to gerund after "allow".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
817
diff
changeset
|
315 There are other ways that allow sharing a single IP address |
|
782
2ceaef0e84a1
Added a phrase about wildcard certificates into the English version of
Ruslan Ermilov <ru@nginx.com>
parents:
661
diff
changeset
|
316 between several HTTPS servers. |
|
2ceaef0e84a1
Added a phrase about wildcard certificates into the English version of
Ruslan Ermilov <ru@nginx.com>
parents:
661
diff
changeset
|
317 However, all of them have their drawbacks. |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
318 One way is to use a certificate with several names in |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
319 the SubjectAltName certificate field, for example, |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
320 <literal>www.example.com</literal> and <literal>www.example.org</literal>. |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
321 However, the SubjectAltName field length is limited. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
322 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
323 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
324 <para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
325 Another way is to use a certificate with a wildcard name, for example, |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
326 <literal>*.example.org</literal>. |
|
782
2ceaef0e84a1
Added a phrase about wildcard certificates into the English version of
Ruslan Ermilov <ru@nginx.com>
parents:
661
diff
changeset
|
327 A wildcard certificate secures all subdomains of the specified domain, |
|
2ceaef0e84a1
Added a phrase about wildcard certificates into the English version of
Ruslan Ermilov <ru@nginx.com>
parents:
661
diff
changeset
|
328 but only on one level. |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
329 This certificate matches <literal>www.example.org</literal>, but does not match |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
330 <literal>example.org</literal> and <literal>www.sub.example.org</literal>. |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
331 These two methods can also be combined. |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
332 A certificate may contain exact and wildcard names in the |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
333 SubjectAltName field, for example, |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
334 <literal>example.org</literal> and <literal>*.example.org</literal>. |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
335 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
336 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
337 <para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
338 It is better to place a certificate file with several names and |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
339 its private key file at the <i>http</i> level of configuration |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
340 to inherit their single memory copy in all servers: |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
341 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
342 <programlisting> |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
343 ssl_certificate common.crt; |
|
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
344 ssl_certificate_key common.key; |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
345 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
346 server { |
|
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
347 listen 443 ssl; |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
348 server_name www.example.com; |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
349 ... |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
350 } |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
351 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
352 server { |
|
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
353 listen 443 ssl; |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
354 server_name www.example.org; |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
355 ... |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
356 } |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
357 </programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
358 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
359 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
360 </section> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
361 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
362 |
|
121
49443032011c
Unified <section> syntax for "article" and "module" documents.
Ruslan Ermilov <ru@nginx.com>
parents:
98
diff
changeset
|
363 <section id="sni" name="Server Name Indication"> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
364 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
365 <para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
366 A more generic solution for running several HTTPS servers on a single |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
367 IP address is |
|
661
e1579b244800
SNI: expressed more clearly that passing of literal IP addresses in
Ruslan Ermilov <ru@nginx.com>
parents:
660
diff
changeset
|
368 <link url="http://en.wikipedia.org/wiki/Server_Name_Indication">TLS |
|
e1579b244800
SNI: expressed more clearly that passing of literal IP addresses in
Ruslan Ermilov <ru@nginx.com>
parents:
660
diff
changeset
|
369 Server Name Indication extension</link> (SNI, RFC 6066), |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
370 which allows a browser to pass a requested server name during the SSL handshake |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
371 and, therefore, the server will know which certificate it should use |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
372 for the connection. |
|
2040
093855e77388
Updated info about SNI.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1757
diff
changeset
|
373 SNI is currently |
|
093855e77388
Updated info about SNI.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1757
diff
changeset
|
374 <link url="http://en.wikipedia.org/wiki/Server_Name_Indication#Support">supported</link> |
|
093855e77388
Updated info about SNI.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1757
diff
changeset
|
375 by most modern browsers, though may not be used by some old or special clients. |
|
658
bd81a71006fe
Documented that most browsers won't pass an IP address
Ruslan Ermilov <ru@nginx.com>
parents:
593
diff
changeset
|
376 <note> |
|
661
e1579b244800
SNI: expressed more clearly that passing of literal IP addresses in
Ruslan Ermilov <ru@nginx.com>
parents:
660
diff
changeset
|
377 Only domain names can be passed in SNI, |
|
e1579b244800
SNI: expressed more clearly that passing of literal IP addresses in
Ruslan Ermilov <ru@nginx.com>
parents:
660
diff
changeset
|
378 however some browsers may erroneously pass an IP address of the server |
|
e1579b244800
SNI: expressed more clearly that passing of literal IP addresses in
Ruslan Ermilov <ru@nginx.com>
parents:
660
diff
changeset
|
379 as its name if a request includes literal IP address. |
|
e1579b244800
SNI: expressed more clearly that passing of literal IP addresses in
Ruslan Ermilov <ru@nginx.com>
parents:
660
diff
changeset
|
380 One should not rely on this. |
|
658
bd81a71006fe
Documented that most browsers won't pass an IP address
Ruslan Ermilov <ru@nginx.com>
parents:
593
diff
changeset
|
381 </note> |
|
bd81a71006fe
Documented that most browsers won't pass an IP address
Ruslan Ermilov <ru@nginx.com>
parents:
593
diff
changeset
|
382 </para> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
383 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
384 <para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
385 In order to use SNI in nginx, it must be supported in both the |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
386 OpenSSL library with which the nginx binary has been built as well as |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
387 the library to which it is being dynamically linked at run time. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
388 OpenSSL supports SNI since 0.9.8f version if it was built with config option |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
389 <nobr>“--enable-tlsext”.</nobr> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
390 Since OpenSSL 0.9.8j this option is enabled by default. |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
391 If nginx was built with SNI support, then nginx will show this |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
392 when run with the “-V” switch: |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
393 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
394 <programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
395 $ nginx -V |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
396 ... |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
397 TLS SNI support enabled |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
398 ... |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
399 </programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
400 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
401 However, if the SNI-enabled nginx is linked dynamically to |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
402 an OpenSSL library without SNI support, nginx displays the warning: |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
403 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
404 <programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
405 nginx was built with SNI support, however, now it is linked |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
406 dynamically to an OpenSSL library which has no tlsext support, |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
407 therefore SNI is not available |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
408 </programlisting> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
409 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
410 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
411 </section> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
412 |
|
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
413 </section> |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
414 |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
415 |
|
121
49443032011c
Unified <section> syntax for "article" and "module" documents.
Ruslan Ermilov <ru@nginx.com>
parents:
98
diff
changeset
|
416 <section id="compatibility" name="Compatibility"> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
417 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
418 <para> |
| 461 | 419 <list type="bullet"> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
420 |
| 461 | 421 <listitem> |
|
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
422 The SNI support status has been shown by the “-V” switch |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
423 since 0.8.21 and 0.7.62. |
| 461 | 424 </listitem> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
425 |
| 461 | 426 <listitem> |
| 271 | 427 The <literal>ssl</literal> parameter of the |
| 428 <link doc="ngx_http_core_module.xml" id="listen"/> | |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
429 directive has been supported since 0.7.14. |
|
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
430 Prior to 0.8.21 it could only be specified along with the |
|
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
431 <literal>default</literal> parameter. |
| 461 | 432 </listitem> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
433 |
| 461 | 434 <listitem> |
|
1757
40e461a34187
Fixed a typo in nginx version number.
Valentin Bartenev <vbart@nginx.com>
parents:
1733
diff
changeset
|
435 SNI has been supported since 0.5.23. |
| 461 | 436 </listitem> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
437 |
| 461 | 438 <listitem> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
439 The shared SSL session cache has been supported since 0.5.6. |
| 461 | 440 </listitem> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
441 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
442 </list> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
443 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
444 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
445 <para> |
| 461 | 446 <list type="bullet"> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
447 |
| 461 | 448 <listitem> |
|
2948
37e082fd009c
Added TLSv1.3 to the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2061
diff
changeset
|
449 Version 1.23.4 and later: the default SSL protocols are TLSv1, |
|
37e082fd009c
Added TLSv1.3 to the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2061
diff
changeset
|
450 TLSv1.1, TLSv1.2, and TLSv1.3 (if supported by the OpenSSL library). |
|
37e082fd009c
Added TLSv1.3 to the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2061
diff
changeset
|
451 </listitem> |
|
37e082fd009c
Added TLSv1.3 to the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2061
diff
changeset
|
452 |
|
37e082fd009c
Added TLSv1.3 to the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2061
diff
changeset
|
453 <listitem> |
|
1499
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
454 Version 1.9.1 and later: the default SSL protocols are TLSv1, |
|
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
455 TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library). |
|
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
456 </listitem> |
|
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
457 |
|
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
458 <listitem> |
|
314
95d5dc7c9884
Documented the new "TLSv1.1" and "TLSv1.2" parameters of the
Ruslan Ermilov <ru@nginx.com>
parents:
271
diff
changeset
|
459 Version 0.7.65, 0.8.19 and later: the default SSL protocols are SSLv3, TLSv1, |
|
95d5dc7c9884
Documented the new "TLSv1.1" and "TLSv1.2" parameters of the
Ruslan Ermilov <ru@nginx.com>
parents:
271
diff
changeset
|
460 TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library). |
| 461 | 461 </listitem> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
462 |
| 461 | 463 <listitem> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
464 Version 0.7.64, 0.8.18 and earlier: the default SSL protocols are SSLv2, |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
465 SSLv3, and TLSv1. |
| 461 | 466 </listitem> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
467 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
468 </list> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
469 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
470 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
471 <para> |
| 461 | 472 <list type="bullet"> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
473 |
| 461 | 474 <listitem> |
|
43
662995d3e647
Update of SSL ciphers in latest nginx versions.
Igor Sysoev <igor@sysoev.ru>
parents:
42
diff
changeset
|
475 Version 1.0.5 and later: the default SSL ciphers are |
| 271 | 476 “<literal>HIGH:!aNULL:!MD5</literal>”. |
| 461 | 477 </listitem> |
|
43
662995d3e647
Update of SSL ciphers in latest nginx versions.
Igor Sysoev <igor@sysoev.ru>
parents:
42
diff
changeset
|
478 |
| 461 | 479 <listitem> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
480 Version 0.7.65, 0.8.20 and later: the default SSL ciphers are |
| 271 | 481 “<literal>HIGH:!ADH:!MD5</literal>”. |
| 461 | 482 </listitem> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
483 |
| 461 | 484 <listitem> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
485 Version 0.8.19: the default SSL ciphers are |
| 271 | 486 “<literal>ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM</literal>”. |
| 461 | 487 </listitem> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
488 |
| 461 | 489 <listitem> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
490 Version 0.7.64, 0.8.18 and earlier: the default SSL ciphers are<br/> |
| 271 | 491 “<literal>ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</literal>”. |
| 461 | 492 </listitem> |
|
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
493 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
494 </list> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
495 </para> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
496 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
497 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
498 </section> |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
499 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
500 |
|
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
501 </article> |