Mercurial > hg > nginx-site

comparison xml/en/docs/http/configuring_https_servers.xml @ 271:4c6d2c614d2c

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Cleaned up XML tag mess: - all of <parameter> and <code>, and some of <dirname>, <value>, and <command> were replaced by <literal>; - the rest of <dirname> were replaced by links; - <argument> were replaced by <value>; - <value> is now rendered in HTML in italic; - <literal> and <path> can now contain <value>. Cleaned up terminology mess: - directives take "parameters".
author Ruslan Ermilov <ru@nginx.com>
date Fri, 23 Dec 2011 17:29:59 +0000
parents c09d374c86c6
children 95d5dc7c9884
comparison
equal deleted inserted replaced
270:945d7299c26c 271:4c6d2c614d2c
41 Although the certificate and the key are stored in one file, 41 Although the certificate and the key are stored in one file,
42 only the certificate is sent to a client. 42 only the certificate is sent to a client.
43 </para> 43 </para>
44 44
45 <para> 45 <para>
46 The directives <dirname>ssl_protocols</dirname> and 46 The directives <link doc="ngx_http_ssl_module.xml" id="ssl_protocols"/> and
47 <dirname>ssl_ciphers</dirname> can be used to limit connections 47 <link doc="ngx_http_ssl_module.xml" id="ssl_ciphers"/>
48 can be used to limit connections
48 to include only the strong versions and ciphers of SSL/TLS. 49 to include only the strong versions and ciphers of SSL/TLS.
49 Since version 1.0.5, nginx uses <dirname>ssl_protocols SSLv3 TLSv1</dirname> 50 Since version 1.0.5, nginx uses “<literal>ssl_protocols SSLv3 TLSv1</literal>”
50 and <dirname>ssl_ciphers HIGH:!aNULL:!MD5</dirname> by default, 51 and “<literal>ssl_ciphers HIGH:!aNULL:!MD5</literal>” by default,
51 so configuring them explicitly only makes sense for the earlier nginx versions. 52 so configuring them explicitly only makes sense for the earlier nginx versions.
52 </para> 53 </para>
53 54
54 <para> 55 <para>
55 CBC-mode ciphers might be vulnerable to a number of attacks and to 56 CBC-mode ciphers might be vulnerable to a number of attacks and to
76 There are two ways to minimize the number of these operations per client: 77 There are two ways to minimize the number of these operations per client:
77 the first is by enabling keepalive connections to send several 78 the first is by enabling keepalive connections to send several
78 requests via one connection and the second is to reuse SSL session 79 requests via one connection and the second is to reuse SSL session
79 parameters to avoid SSL handshakes for parallel and subsequent connections. 80 parameters to avoid SSL handshakes for parallel and subsequent connections.
80 The sessions are stored in an SSL session cache shared between workers 81 The sessions are stored in an SSL session cache shared between workers
81 and configured by an <dirname>ssl_session_cache</dirname> directive. 82 and configured by the
83 <link doc="ngx_http_ssl_module.xml" id="ssl_session_cache"/>
84 directive.
82 One megabyte of the cache contains about 4000 sessions. 85 One megabyte of the cache contains about 4000 sessions.
83 The default cache timeout is 5 minutes. It can be increased by using 86 The default cache timeout is 5 minutes.
84 the <dirname>ssl_session_timeout</dirname> directive. 87 It can be increased by using the
88 <link doc="ngx_http_ssl_module.xml" id="ssl_session_timeout"/>
89 directive.
85 Here is a sample configuration optimized for a quad core system 90 Here is a sample configuration optimized for a quad core system
86 with 10M shared session cache: 91 with 10M shared session cache:
87 92
88 <programlisting> 93 <programlisting>
89 <b>worker_processes 4</b>; 94 <b>worker_processes 4</b>;
126 131
127 <programlisting> 132 <programlisting>
128 $ cat www.nginx.com.crt bundle.crt > www.nginx.com.chained.crt 133 $ cat www.nginx.com.crt bundle.crt > www.nginx.com.chained.crt
129 </programlisting> 134 </programlisting>
130 135
131 The resulting file should be used in the <dirname>ssl_certificate</dirname> 136 The resulting file should be used in the
137 <link doc="ngx_http_ssl_module.xml" id="ssl_certificate"/>
132 directive: 138 directive:
133 139
134 <programlisting> 140 <programlisting>
135 server { 141 server {
136 listen 443; 142 listen 443;
214 seem equal, this may change significantly in the future 220 seem equal, this may change significantly in the future
215 and using a consolidated server may become problematic. 221 and using a consolidated server may become problematic.
216 However, if HTTP and HTTPS servers are equal, 222 However, if HTTP and HTTPS servers are equal,
217 and you prefer not to think about the future, 223 and you prefer not to think about the future,
218 you may configure a single server that handles both HTTP and HTTPS requests 224 you may configure a single server that handles both HTTP and HTTPS requests
219 by deleting the directive <dirname>ssl on</dirname> 225 by deleting the directive “<literal>ssl on</literal>”
220 and adding the <dirname>ssl</dirname> parameter for *:443 port: 226 and adding the <literal>ssl</literal> parameter for *:443 port:
221 227
222 <programlisting> 228 <programlisting>
223 server { 229 server {
224 listen 80; 230 listen 80;
225 listen 443 ssl; 231 listen 443 ssl;
229 ... 235 ...
230 } 236 }
231 </programlisting> 237 </programlisting>
232 238
233 <note> 239 <note>
234 Prior to 0.8.21, nginx only allows the <dirname>ssl</dirname> parameter 240 Prior to 0.8.21, nginx only allows the <literal>ssl</literal> parameter
235 to be set on listen sockets with the <dirname>default</dirname> parameter: 241 to be set on listen sockets with the <literal>default</literal> parameter:
236 <programlisting> 242 <programlisting>
237 listen 443 default ssl; 243 listen 443 default ssl;
238 </programlisting> 244 </programlisting>
239 </note> 245 </note>
240 </para> 246 </para>
426 The SNI support status has been shown by the &ldquo;-V&rdquo; switch 432 The SNI support status has been shown by the &ldquo;-V&rdquo; switch
427 since 0.8.21 and 0.7.62. 433 since 0.8.21 and 0.7.62.
428 </item> 434 </item>
429 435
430 <item> 436 <item>
431 The <dirname>ssl</dirname> parameter of the <dirname>listen</dirname> 437 The <literal>ssl</literal> parameter of the
438 <link doc="ngx_http_core_module.xml" id="listen"/>
432 directive has been supported since 0.7.14. 439 directive has been supported since 0.7.14.
433 </item> 440 </item>
434 441
435 <item> 442 <item>
436 SNI has been supported since 0.5.32. 443 SNI has been supported since 0.5.32.
461 <para> 468 <para>
462 <list> 469 <list>
463 470
464 <item> 471 <item>
465 Version 1.0.5 and later: the default SSL ciphers are 472 Version 1.0.5 and later: the default SSL ciphers are
466 <dirname>HIGH:!aNULL:!MD5</dirname>. 473 “<literal>HIGH:!aNULL:!MD5</literal>”.
467 </item> 474 </item>
468 475
469 <item> 476 <item>
470 Version 0.7.65, 0.8.20 and later: the default SSL ciphers are 477 Version 0.7.65, 0.8.20 and later: the default SSL ciphers are
471 <dirname>HIGH:!ADH:!MD5</dirname>. 478 “<literal>HIGH:!ADH:!MD5</literal>”.
472 </item> 479 </item>
473 480
474 <item> 481 <item>
475 Version 0.8.19: the default SSL ciphers are 482 Version 0.8.19: the default SSL ciphers are
476 <dirname>ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM</dirname>. 483 “<literal>ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM</literal>”.
477 </item> 484 </item>
478 485
479 <item> 486 <item>
480 Version 0.7.64, 0.8.18 and earlier: the default SSL ciphers are<br/> 487 Version 0.7.64, 0.8.18 and earlier: the default SSL ciphers are<br/>
481 <dirname>ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</dirname>. 488 “<literal>ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</literal>”.
482 </item> 489 </item>
483 490
484 </list> 491 </list>
485 </para> 492 </para>
486 493