Mercurial > hg > nginx-site
comparison xml/en/docs/http/configuring_https_servers.xml @ 659:77a3314c74a7
Avoid the uses of second person.
author | Ruslan Ermilov <ru@nginx.com> |
---|---|
date | Tue, 28 Aug 2012 09:23:40 +0000 |
parents | bd81a71006fe |
children | ba45bd0fc71e |
comparison
equal
deleted
inserted
replaced
658:bd81a71006fe | 659:77a3314c74a7 |
---|---|
13 editor="Brian Mercer"> | 13 editor="Brian Mercer"> |
14 | 14 |
15 <section> | 15 <section> |
16 | 16 |
17 <para> | 17 <para> |
18 To configure an HTTPS server you must enable the SSL protocol | 18 To configure an HTTPS server, the SSL protocol must be enabled |
19 in the server block, and specify the locations of the server certificate | 19 in the server block, and the locations of the server certificate |
20 and private key files: | 20 and private key files should be specified: |
21 | 21 |
22 <programlisting> | 22 <programlisting> |
23 server { | 23 server { |
24 listen 443; | 24 listen 443; |
25 server_name www.example.com; | 25 server_name www.example.com; |
77 | 77 |
78 <section id="optimization" name="HTTPS server optimization"> | 78 <section id="optimization" name="HTTPS server optimization"> |
79 | 79 |
80 <para> | 80 <para> |
81 SSL operations consume extra CPU resources. | 81 SSL operations consume extra CPU resources. |
82 On multi-processor systems you should run several worker processes: | 82 On multi-processor systems several worker processes should be run, |
83 no less than the number of available CPU cores. | 83 no less than the number of available CPU cores. |
84 The most CPU-intensive operation is the SSL handshake. | 84 The most CPU-intensive operation is the SSL handshake. |
85 There are two ways to minimize the number of these operations per client: | 85 There are two ways to minimize the number of these operations per client: |
86 the first is by enabling keepalive connections to send several | 86 the first is by enabling keepalive connections to send several |
87 requests via one connection and the second is to reuse SSL session | 87 requests via one connection and the second is to reuse SSL session |
173 Browsers usually store intermediate certificates which they receive | 173 Browsers usually store intermediate certificates which they receive |
174 and which are signed by trusted authorities, so actively used browsers | 174 and which are signed by trusted authorities, so actively used browsers |
175 may already have the required intermediate certificates and | 175 may already have the required intermediate certificates and |
176 may not complain about a certificate sent without a chained bundle. | 176 may not complain about a certificate sent without a chained bundle. |
177 To ensure the server sends the complete certificate chain, | 177 To ensure the server sends the complete certificate chain, |
178 you may use the <command>openssl</command> command-line utility, for example: | 178 the <command>openssl</command> command-line utility may be used, for example: |
179 | 179 |
180 <programlisting> | 180 <programlisting> |
181 $ openssl s_client -connect www.godaddy.com:443 | 181 $ openssl s_client -connect www.godaddy.com:443 |
182 ... | 182 ... |
183 Certificate chain | 183 Certificate chain |
211 whose certificate is stored in the browsers’ built-in | 211 whose certificate is stored in the browsers’ built-in |
212 certificate base (that lay in the house that Jack built). | 212 certificate base (that lay in the house that Jack built). |
213 </para> | 213 </para> |
214 | 214 |
215 <para> | 215 <para> |
216 If you have not added the certificates bundle, you will see only your server | 216 If a certificate bundle has not been added, only the server certificate #0 |
217 certificate #0. | 217 will be shown. |
218 </para> | 218 </para> |
219 | 219 |
220 </section> | 220 </section> |
221 | 221 |
222 | 222 |
223 <section id="single_http_https_server" name="A single HTTP/HTTPS server"> | 223 <section id="single_http_https_server" name="A single HTTP/HTTPS server"> |
224 | 224 |
225 <para> | 225 <para> |
226 It is good practice to configure separate servers for HTTP and HTTPS | 226 If HTTP and HTTPS servers are equal, |
227 protocols from the very start. Although their functionalities currently | 227 a single server that handles both HTTP and HTTPS requests may be configured |
228 seem equal, this may change significantly in the future | |
229 and using a consolidated server may become problematic. | |
230 However, if HTTP and HTTPS servers are equal, | |
231 and you prefer not to think about the future, | |
232 you may configure a single server that handles both HTTP and HTTPS requests | |
233 by deleting the directive “<literal>ssl on</literal>” | 228 by deleting the directive “<literal>ssl on</literal>” |
234 and adding the <literal>ssl</literal> parameter for *:443 port: | 229 and adding the <literal>ssl</literal> parameter for *:443 port: |
235 | 230 |
236 <programlisting> | 231 <programlisting> |
237 server { | 232 server { |