Mercurial > hg > nginx-site
comparison xml/en/docs/http/configuring_https_servers.xml @ 490:9913f1d51c07
Replaced "nginx" domain names with example domains.
| author | Ruslan Ermilov <ru@nginx.com> |
|---|---|
| date | Thu, 19 Apr 2012 12:30:24 +0000 |
| parents | 6135f3c95bf6 |
| children | be54c443235a |
comparison
equal
deleted
inserted
replaced
| 489:2abd1998a0cc | 490:9913f1d51c07 |
|---|---|
| 14 and private key files: | 14 and private key files: |
| 15 | 15 |
| 16 <programlisting> | 16 <programlisting> |
| 17 server { | 17 server { |
| 18 listen 443; | 18 listen 443; |
| 19 server_name www.nginx.com; | 19 server_name www.example.com; |
| 20 ssl on; | 20 ssl on; |
| 21 ssl_certificate www.nginx.com.crt; | 21 ssl_certificate www.example.com.crt; |
| 22 ssl_certificate_key www.nginx.com.key; | 22 ssl_certificate_key www.example.com.key; |
| 23 ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; | 23 ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; |
| 24 ssl_ciphers HIGH:!aNULL:!MD5; | 24 ssl_ciphers HIGH:!aNULL:!MD5; |
| 25 ... | 25 ... |
| 26 } | 26 } |
| 27 </programlisting> | 27 </programlisting> |
| 31 The private key is a secure entity and should be stored in a file with | 31 The private key is a secure entity and should be stored in a file with |
| 32 restricted access, however, it must be readable by nginx’s master process. | 32 restricted access, however, it must be readable by nginx’s master process. |
| 33 The private key may alternately be stored in the same file as the certificate: | 33 The private key may alternately be stored in the same file as the certificate: |
| 34 | 34 |
| 35 <programlisting> | 35 <programlisting> |
| 36 ssl_certificate www.nginx.com.cert; | 36 ssl_certificate www.example.com.cert; |
| 37 ssl_certificate_key www.nginx.com.cert; | 37 ssl_certificate_key www.example.com.cert; |
| 38 </programlisting> | 38 </programlisting> |
| 39 | 39 |
| 40 in which case the file access rights should also be restricted. | 40 in which case the file access rights should also be restricted. |
| 41 Although the certificate and the key are stored in one file, | 41 Although the certificate and the key are stored in one file, |
| 42 only the certificate is sent to a client. | 42 only the certificate is sent to a client. |
| 99 <b>ssl_session_cache shared:SSL:10m</b>; | 99 <b>ssl_session_cache shared:SSL:10m</b>; |
| 100 <b>ssl_session_timeout 10m</b>; | 100 <b>ssl_session_timeout 10m</b>; |
| 101 | 101 |
| 102 server { | 102 server { |
| 103 listen 443; | 103 listen 443; |
| 104 server_name www.nginx.com; | 104 server_name www.example.com; |
| 105 <b>keepalive_timeout 70</b>; | 105 <b>keepalive_timeout 70</b>; |
| 106 | 106 |
| 107 ssl on; | 107 ssl on; |
| 108 ssl_certificate www.nginx.com.crt; | 108 ssl_certificate www.example.com.crt; |
| 109 ssl_certificate_key www.nginx.com.key; | 109 ssl_certificate_key www.example.com.key; |
| 110 ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; | 110 ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; |
| 111 ssl_ciphers HIGH:!aNULL:!MD5; | 111 ssl_ciphers HIGH:!aNULL:!MD5; |
| 112 ... | 112 ... |
| 113 </programlisting> | 113 </programlisting> |
| 114 </para> | 114 </para> |
| 130 which should be concatenated to the signed server certificate. | 130 which should be concatenated to the signed server certificate. |
| 131 The server certificate must appear before the chained certificates | 131 The server certificate must appear before the chained certificates |
| 132 in the combined file: | 132 in the combined file: |
| 133 | 133 |
| 134 <programlisting> | 134 <programlisting> |
| 135 $ cat www.nginx.com.crt bundle.crt > www.nginx.com.chained.crt | 135 $ cat www.example.com.crt bundle.crt > www.example.com.chained.crt |
| 136 </programlisting> | 136 </programlisting> |
| 137 | 137 |
| 138 The resulting file should be used in the | 138 The resulting file should be used in the |
| 139 <link doc="ngx_http_ssl_module.xml" id="ssl_certificate"/> | 139 <link doc="ngx_http_ssl_module.xml" id="ssl_certificate"/> |
| 140 directive: | 140 directive: |
| 141 | 141 |
| 142 <programlisting> | 142 <programlisting> |
| 143 server { | 143 server { |
| 144 listen 443; | 144 listen 443; |
| 145 server_name www.nginx.com; | 145 server_name www.example.com; |
| 146 ssl on; | 146 ssl on; |
| 147 ssl_certificate www.nginx.com.chained.crt; | 147 ssl_certificate www.example.com.chained.crt; |
| 148 ssl_certificate_key www.nginx.com.key; | 148 ssl_certificate_key www.example.com.key; |
| 149 ... | 149 ... |
| 150 } | 150 } |
| 151 </programlisting> | 151 </programlisting> |
| 152 | 152 |
| 153 If the server certificate and the bundle have been concatenated in the wrong | 153 If the server certificate and the bundle have been concatenated in the wrong |
| 154 order, nginx will fail to start and will display the error message: | 154 order, nginx will fail to start and will display the error message: |
| 155 | 155 |
| 156 <programlisting> | 156 <programlisting> |
| 157 SSL_CTX_use_PrivateKey_file(" ... /www.nginx.com.key") failed | 157 SSL_CTX_use_PrivateKey_file(" ... /www.example.com.key") failed |
| 158 (SSL: error:0B080074:x509 certificate routines: | 158 (SSL: error:0B080074:x509 certificate routines: |
| 159 X509_check_private_key:key values mismatch) | 159 X509_check_private_key:key values mismatch) |
| 160 </programlisting> | 160 </programlisting> |
| 161 | 161 |
| 162 because nginx has tried to use the private key with the bundle’s | 162 because nginx has tried to use the private key with the bundle’s |
| 229 | 229 |
| 230 <programlisting> | 230 <programlisting> |
| 231 server { | 231 server { |
| 232 listen 80; | 232 listen 80; |
| 233 listen 443 ssl; | 233 listen 443 ssl; |
| 234 server_name www.nginx.com; | 234 server_name www.example.com; |
| 235 ssl_certificate www.nginx.com.crt; | 235 ssl_certificate www.example.com.crt; |
| 236 ssl_certificate_key www.nginx.com.key; | 236 ssl_certificate_key www.example.com.key; |
| 237 ... | 237 ... |
| 238 } | 238 } |
| 239 </programlisting> | 239 </programlisting> |
| 240 | 240 |
| 241 <note> | 241 <note> |
| 257 listening on a single IP address: | 257 listening on a single IP address: |
| 258 | 258 |
| 259 <programlisting> | 259 <programlisting> |
| 260 server { | 260 server { |
| 261 listen 443; | 261 listen 443; |
| 262 server_name www.nginx.com; | 262 server_name www.example.com; |
| 263 ssl on; | 263 ssl on; |
| 264 ssl_certificate www.nginx.com.crt; | 264 ssl_certificate www.example.com.crt; |
| 265 ... | 265 ... |
| 266 } | 266 } |
| 267 | 267 |
| 268 server { | 268 server { |
| 269 listen 443; | 269 listen 443; |
| 270 server_name www.nginx.org; | 270 server_name www.example.org; |
| 271 ssl on; | 271 ssl on; |
| 272 ssl_certificate www.nginx.org.crt; | 272 ssl_certificate www.example.org.crt; |
| 273 ... | 273 ... |
| 274 } | 274 } |
| 275 </programlisting> | 275 </programlisting> |
| 276 | 276 |
| 277 With this configuration a browser receives the certificate of the default | 277 With this configuration a browser receives the certificate of the default |
| 278 server, i.e., <url>www.nginx.com</url> regardless of the requested server name. | 278 server, i.e., <url>www.example.com</url> regardless of the requested server name. |
| 279 This is caused by SSL protocol behaviour. The SSL connection is established | 279 This is caused by SSL protocol behaviour. The SSL connection is established |
| 280 before the browser sends an HTTP request and nginx does not know | 280 before the browser sends an HTTP request and nginx does not know |
| 281 the name of the requested server. Therefore, it may only offer the certificate | 281 the name of the requested server. Therefore, it may only offer the certificate |
| 282 of the default server. | 282 of the default server. |
| 283 </para> | 283 </para> |
| 287 is to assign a separate IP address for every HTTPS server: | 287 is to assign a separate IP address for every HTTPS server: |
| 288 | 288 |
| 289 <programlisting> | 289 <programlisting> |
| 290 server { | 290 server { |
| 291 listen 192.168.1.1:443; | 291 listen 192.168.1.1:443; |
| 292 server_name www.nginx.com; | 292 server_name www.example.com; |
| 293 ssl on; | 293 ssl on; |
| 294 ssl_certificate www.nginx.com.crt; | 294 ssl_certificate www.example.com.crt; |
| 295 ... | 295 ... |
| 296 } | 296 } |
| 297 | 297 |
| 298 server { | 298 server { |
| 299 listen 192.168.1.2:443; | 299 listen 192.168.1.2:443; |
| 300 server_name www.nginx.org; | 300 server_name www.example.org; |
| 301 ssl on; | 301 ssl on; |
| 302 ssl_certificate www.nginx.org.crt; | 302 ssl_certificate www.example.org.crt; |
| 303 ... | 303 ... |
| 304 } | 304 } |
| 305 </programlisting> | 305 </programlisting> |
| 306 </para> | 306 </para> |
| 307 | 307 |
| 313 | 313 |
| 314 <para> | 314 <para> |
| 315 There are other ways to share a single IP address between several | 315 There are other ways to share a single IP address between several |
| 316 HTTPS servers, however, all of them have drawbacks. | 316 HTTPS servers, however, all of them have drawbacks. |
| 317 One way is to use a certificate with several names in | 317 One way is to use a certificate with several names in |
| 318 the SubjectAltName certificate field, for example, <url>www.nginx.com</url> | 318 the SubjectAltName certificate field, for example, <url>www.example.com</url> |
| 319 and <url>www.nginx.org</url>. | 319 and <url>www.example.org</url>. |
| 320 However, the SubjectAltName field length is limited. | 320 However, the SubjectAltName field length is limited. |
| 321 </para> | 321 </para> |
| 322 | 322 |
| 323 <para> | 323 <para> |
| 324 Another way is to use a certificate with a wildcard name, for example, | 324 Another way is to use a certificate with a wildcard name, for example, |
| 325 <url>*.nginx.org</url>. This certificate matches | 325 <url>*.example.org</url>. This certificate matches |
| 326 <url>www.nginx.org</url>, but does not match <url>nginx.org</url> | 326 <url>www.example.org</url>, but does not match <url>example.org</url> |
| 327 and <url>www.sub.nginx.org</url>. These two methods can also be combined. | 327 and <url>www.sub.example.org</url>. These two methods can also be combined. |
| 328 A certificate may contain exact and wildcard names in the SubjectAltName field, | 328 A certificate may contain exact and wildcard names in the SubjectAltName field, |
| 329 for example, <url>nginx.org</url> and <url>*.nginx.org</url>. | 329 for example, <url>example.org</url> and <url>*.example.org</url>. |
| 330 </para> | 330 </para> |
| 331 | 331 |
| 332 <para> | 332 <para> |
| 333 It is better to place a certificate file with several names and | 333 It is better to place a certificate file with several names and |
| 334 its private key file at the <i>http</i> level of configuration | 334 its private key file at the <i>http</i> level of configuration |
| 338 ssl_certificate common.crt; | 338 ssl_certificate common.crt; |
| 339 ssl_certificate_key common.key; | 339 ssl_certificate_key common.key; |
| 340 | 340 |
| 341 server { | 341 server { |
| 342 listen 443; | 342 listen 443; |
| 343 server_name www.nginx.com; | 343 server_name www.example.com; |
| 344 ssl on; | 344 ssl on; |
| 345 ... | 345 ... |
| 346 } | 346 } |
| 347 | 347 |
| 348 server { | 348 server { |
| 349 listen 443; | 349 listen 443; |
| 350 server_name www.nginx.org; | 350 server_name www.example.org; |
| 351 ssl on; | 351 ssl on; |
| 352 ... | 352 ... |
| 353 } | 353 } |
| 354 </programlisting> | 354 </programlisting> |
| 355 </para> | 355 </para> |