Mercurial > hg > nginx-site
comparison xml/en/docs/http/configuring_https_servers.xml @ 271:4c6d2c614d2c
Cleaned up XML tag mess:
- all of <parameter> and <code>, and some of <dirname>, <value>,
and <command> were replaced by <literal>;
- the rest of <dirname> were replaced by links;
- <argument> were replaced by <value>;
- <value> is now rendered in HTML in italic;
- <literal> and <path> can now contain <value>.
Cleaned up terminology mess:
- directives take "parameters".
author | Ruslan Ermilov <ru@nginx.com> |
---|---|
date | Fri, 23 Dec 2011 17:29:59 +0000 |
parents | c09d374c86c6 |
children | 95d5dc7c9884 |
comparison
equal
deleted
inserted
replaced
270:945d7299c26c | 271:4c6d2c614d2c |
---|---|
41 Although the certificate and the key are stored in one file, | 41 Although the certificate and the key are stored in one file, |
42 only the certificate is sent to a client. | 42 only the certificate is sent to a client. |
43 </para> | 43 </para> |
44 | 44 |
45 <para> | 45 <para> |
46 The directives <dirname>ssl_protocols</dirname> and | 46 The directives <link doc="ngx_http_ssl_module.xml" id="ssl_protocols"/> and |
47 <dirname>ssl_ciphers</dirname> can be used to limit connections | 47 <link doc="ngx_http_ssl_module.xml" id="ssl_ciphers"/> |
48 can be used to limit connections | |
48 to include only the strong versions and ciphers of SSL/TLS. | 49 to include only the strong versions and ciphers of SSL/TLS. |
49 Since version 1.0.5, nginx uses <dirname>ssl_protocols SSLv3 TLSv1</dirname> | 50 Since version 1.0.5, nginx uses “<literal>ssl_protocols SSLv3 TLSv1</literal>” |
50 and <dirname>ssl_ciphers HIGH:!aNULL:!MD5</dirname> by default, | 51 and “<literal>ssl_ciphers HIGH:!aNULL:!MD5</literal>” by default, |
51 so configuring them explicitly only makes sense for the earlier nginx versions. | 52 so configuring them explicitly only makes sense for the earlier nginx versions. |
52 </para> | 53 </para> |
53 | 54 |
54 <para> | 55 <para> |
55 CBC-mode ciphers might be vulnerable to a number of attacks and to | 56 CBC-mode ciphers might be vulnerable to a number of attacks and to |
76 There are two ways to minimize the number of these operations per client: | 77 There are two ways to minimize the number of these operations per client: |
77 the first is by enabling keepalive connections to send several | 78 the first is by enabling keepalive connections to send several |
78 requests via one connection and the second is to reuse SSL session | 79 requests via one connection and the second is to reuse SSL session |
79 parameters to avoid SSL handshakes for parallel and subsequent connections. | 80 parameters to avoid SSL handshakes for parallel and subsequent connections. |
80 The sessions are stored in an SSL session cache shared between workers | 81 The sessions are stored in an SSL session cache shared between workers |
81 and configured by an <dirname>ssl_session_cache</dirname> directive. | 82 and configured by the |
83 <link doc="ngx_http_ssl_module.xml" id="ssl_session_cache"/> | |
84 directive. | |
82 One megabyte of the cache contains about 4000 sessions. | 85 One megabyte of the cache contains about 4000 sessions. |
83 The default cache timeout is 5 minutes. It can be increased by using | 86 The default cache timeout is 5 minutes. |
84 the <dirname>ssl_session_timeout</dirname> directive. | 87 It can be increased by using the |
88 <link doc="ngx_http_ssl_module.xml" id="ssl_session_timeout"/> | |
89 directive. | |
85 Here is a sample configuration optimized for a quad core system | 90 Here is a sample configuration optimized for a quad core system |
86 with 10M shared session cache: | 91 with 10M shared session cache: |
87 | 92 |
88 <programlisting> | 93 <programlisting> |
89 <b>worker_processes 4</b>; | 94 <b>worker_processes 4</b>; |
126 | 131 |
127 <programlisting> | 132 <programlisting> |
128 $ cat www.nginx.com.crt bundle.crt > www.nginx.com.chained.crt | 133 $ cat www.nginx.com.crt bundle.crt > www.nginx.com.chained.crt |
129 </programlisting> | 134 </programlisting> |
130 | 135 |
131 The resulting file should be used in the <dirname>ssl_certificate</dirname> | 136 The resulting file should be used in the |
137 <link doc="ngx_http_ssl_module.xml" id="ssl_certificate"/> | |
132 directive: | 138 directive: |
133 | 139 |
134 <programlisting> | 140 <programlisting> |
135 server { | 141 server { |
136 listen 443; | 142 listen 443; |
214 seem equal, this may change significantly in the future | 220 seem equal, this may change significantly in the future |
215 and using a consolidated server may become problematic. | 221 and using a consolidated server may become problematic. |
216 However, if HTTP and HTTPS servers are equal, | 222 However, if HTTP and HTTPS servers are equal, |
217 and you prefer not to think about the future, | 223 and you prefer not to think about the future, |
218 you may configure a single server that handles both HTTP and HTTPS requests | 224 you may configure a single server that handles both HTTP and HTTPS requests |
219 by deleting the directive <dirname>ssl on</dirname> | 225 by deleting the directive “<literal>ssl on</literal>” |
220 and adding the <dirname>ssl</dirname> parameter for *:443 port: | 226 and adding the <literal>ssl</literal> parameter for *:443 port: |
221 | 227 |
222 <programlisting> | 228 <programlisting> |
223 server { | 229 server { |
224 listen 80; | 230 listen 80; |
225 listen 443 ssl; | 231 listen 443 ssl; |
229 ... | 235 ... |
230 } | 236 } |
231 </programlisting> | 237 </programlisting> |
232 | 238 |
233 <note> | 239 <note> |
234 Prior to 0.8.21, nginx only allows the <dirname>ssl</dirname> parameter | 240 Prior to 0.8.21, nginx only allows the <literal>ssl</literal> parameter |
235 to be set on listen sockets with the <dirname>default</dirname> parameter: | 241 to be set on listen sockets with the <literal>default</literal> parameter: |
236 <programlisting> | 242 <programlisting> |
237 listen 443 default ssl; | 243 listen 443 default ssl; |
238 </programlisting> | 244 </programlisting> |
239 </note> | 245 </note> |
240 </para> | 246 </para> |
426 The SNI support status has been shown by the “-V” switch | 432 The SNI support status has been shown by the “-V” switch |
427 since 0.8.21 and 0.7.62. | 433 since 0.8.21 and 0.7.62. |
428 </item> | 434 </item> |
429 | 435 |
430 <item> | 436 <item> |
431 The <dirname>ssl</dirname> parameter of the <dirname>listen</dirname> | 437 The <literal>ssl</literal> parameter of the |
438 <link doc="ngx_http_core_module.xml" id="listen"/> | |
432 directive has been supported since 0.7.14. | 439 directive has been supported since 0.7.14. |
433 </item> | 440 </item> |
434 | 441 |
435 <item> | 442 <item> |
436 SNI has been supported since 0.5.32. | 443 SNI has been supported since 0.5.32. |
461 <para> | 468 <para> |
462 <list> | 469 <list> |
463 | 470 |
464 <item> | 471 <item> |
465 Version 1.0.5 and later: the default SSL ciphers are | 472 Version 1.0.5 and later: the default SSL ciphers are |
466 <dirname>HIGH:!aNULL:!MD5</dirname>. | 473 “<literal>HIGH:!aNULL:!MD5</literal>”. |
467 </item> | 474 </item> |
468 | 475 |
469 <item> | 476 <item> |
470 Version 0.7.65, 0.8.20 and later: the default SSL ciphers are | 477 Version 0.7.65, 0.8.20 and later: the default SSL ciphers are |
471 <dirname>HIGH:!ADH:!MD5</dirname>. | 478 “<literal>HIGH:!ADH:!MD5</literal>”. |
472 </item> | 479 </item> |
473 | 480 |
474 <item> | 481 <item> |
475 Version 0.8.19: the default SSL ciphers are | 482 Version 0.8.19: the default SSL ciphers are |
476 <dirname>ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM</dirname>. | 483 “<literal>ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM</literal>”. |
477 </item> | 484 </item> |
478 | 485 |
479 <item> | 486 <item> |
480 Version 0.7.64, 0.8.18 and earlier: the default SSL ciphers are<br/> | 487 Version 0.7.64, 0.8.18 and earlier: the default SSL ciphers are<br/> |
481 <dirname>ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</dirname>. | 488 “<literal>ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</literal>”. |
482 </item> | 489 </item> |
483 | 490 |
484 </list> | 491 </list> |
485 </para> | 492 </para> |
486 | 493 |