Mercurial > hg > nginx-site
comparison xml/en/docs/http/configuring_https_servers.xml @ 490:9913f1d51c07
Replaced "nginx" domain names with example domains.
author | Ruslan Ermilov <ru@nginx.com> |
---|---|
date | Thu, 19 Apr 2012 12:30:24 +0000 |
parents | 6135f3c95bf6 |
children | be54c443235a |
comparison
equal
deleted
inserted
replaced
489:2abd1998a0cc | 490:9913f1d51c07 |
---|---|
14 and private key files: | 14 and private key files: |
15 | 15 |
16 <programlisting> | 16 <programlisting> |
17 server { | 17 server { |
18 listen 443; | 18 listen 443; |
19 server_name www.nginx.com; | 19 server_name www.example.com; |
20 ssl on; | 20 ssl on; |
21 ssl_certificate www.nginx.com.crt; | 21 ssl_certificate www.example.com.crt; |
22 ssl_certificate_key www.nginx.com.key; | 22 ssl_certificate_key www.example.com.key; |
23 ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; | 23 ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; |
24 ssl_ciphers HIGH:!aNULL:!MD5; | 24 ssl_ciphers HIGH:!aNULL:!MD5; |
25 ... | 25 ... |
26 } | 26 } |
27 </programlisting> | 27 </programlisting> |
31 The private key is a secure entity and should be stored in a file with | 31 The private key is a secure entity and should be stored in a file with |
32 restricted access, however, it must be readable by nginx’s master process. | 32 restricted access, however, it must be readable by nginx’s master process. |
33 The private key may alternately be stored in the same file as the certificate: | 33 The private key may alternately be stored in the same file as the certificate: |
34 | 34 |
35 <programlisting> | 35 <programlisting> |
36 ssl_certificate www.nginx.com.cert; | 36 ssl_certificate www.example.com.cert; |
37 ssl_certificate_key www.nginx.com.cert; | 37 ssl_certificate_key www.example.com.cert; |
38 </programlisting> | 38 </programlisting> |
39 | 39 |
40 in which case the file access rights should also be restricted. | 40 in which case the file access rights should also be restricted. |
41 Although the certificate and the key are stored in one file, | 41 Although the certificate and the key are stored in one file, |
42 only the certificate is sent to a client. | 42 only the certificate is sent to a client. |
99 <b>ssl_session_cache shared:SSL:10m</b>; | 99 <b>ssl_session_cache shared:SSL:10m</b>; |
100 <b>ssl_session_timeout 10m</b>; | 100 <b>ssl_session_timeout 10m</b>; |
101 | 101 |
102 server { | 102 server { |
103 listen 443; | 103 listen 443; |
104 server_name www.nginx.com; | 104 server_name www.example.com; |
105 <b>keepalive_timeout 70</b>; | 105 <b>keepalive_timeout 70</b>; |
106 | 106 |
107 ssl on; | 107 ssl on; |
108 ssl_certificate www.nginx.com.crt; | 108 ssl_certificate www.example.com.crt; |
109 ssl_certificate_key www.nginx.com.key; | 109 ssl_certificate_key www.example.com.key; |
110 ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; | 110 ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; |
111 ssl_ciphers HIGH:!aNULL:!MD5; | 111 ssl_ciphers HIGH:!aNULL:!MD5; |
112 ... | 112 ... |
113 </programlisting> | 113 </programlisting> |
114 </para> | 114 </para> |
130 which should be concatenated to the signed server certificate. | 130 which should be concatenated to the signed server certificate. |
131 The server certificate must appear before the chained certificates | 131 The server certificate must appear before the chained certificates |
132 in the combined file: | 132 in the combined file: |
133 | 133 |
134 <programlisting> | 134 <programlisting> |
135 $ cat www.nginx.com.crt bundle.crt > www.nginx.com.chained.crt | 135 $ cat www.example.com.crt bundle.crt > www.example.com.chained.crt |
136 </programlisting> | 136 </programlisting> |
137 | 137 |
138 The resulting file should be used in the | 138 The resulting file should be used in the |
139 <link doc="ngx_http_ssl_module.xml" id="ssl_certificate"/> | 139 <link doc="ngx_http_ssl_module.xml" id="ssl_certificate"/> |
140 directive: | 140 directive: |
141 | 141 |
142 <programlisting> | 142 <programlisting> |
143 server { | 143 server { |
144 listen 443; | 144 listen 443; |
145 server_name www.nginx.com; | 145 server_name www.example.com; |
146 ssl on; | 146 ssl on; |
147 ssl_certificate www.nginx.com.chained.crt; | 147 ssl_certificate www.example.com.chained.crt; |
148 ssl_certificate_key www.nginx.com.key; | 148 ssl_certificate_key www.example.com.key; |
149 ... | 149 ... |
150 } | 150 } |
151 </programlisting> | 151 </programlisting> |
152 | 152 |
153 If the server certificate and the bundle have been concatenated in the wrong | 153 If the server certificate and the bundle have been concatenated in the wrong |
154 order, nginx will fail to start and will display the error message: | 154 order, nginx will fail to start and will display the error message: |
155 | 155 |
156 <programlisting> | 156 <programlisting> |
157 SSL_CTX_use_PrivateKey_file(" ... /www.nginx.com.key") failed | 157 SSL_CTX_use_PrivateKey_file(" ... /www.example.com.key") failed |
158 (SSL: error:0B080074:x509 certificate routines: | 158 (SSL: error:0B080074:x509 certificate routines: |
159 X509_check_private_key:key values mismatch) | 159 X509_check_private_key:key values mismatch) |
160 </programlisting> | 160 </programlisting> |
161 | 161 |
162 because nginx has tried to use the private key with the bundle’s | 162 because nginx has tried to use the private key with the bundle’s |
229 | 229 |
230 <programlisting> | 230 <programlisting> |
231 server { | 231 server { |
232 listen 80; | 232 listen 80; |
233 listen 443 ssl; | 233 listen 443 ssl; |
234 server_name www.nginx.com; | 234 server_name www.example.com; |
235 ssl_certificate www.nginx.com.crt; | 235 ssl_certificate www.example.com.crt; |
236 ssl_certificate_key www.nginx.com.key; | 236 ssl_certificate_key www.example.com.key; |
237 ... | 237 ... |
238 } | 238 } |
239 </programlisting> | 239 </programlisting> |
240 | 240 |
241 <note> | 241 <note> |
257 listening on a single IP address: | 257 listening on a single IP address: |
258 | 258 |
259 <programlisting> | 259 <programlisting> |
260 server { | 260 server { |
261 listen 443; | 261 listen 443; |
262 server_name www.nginx.com; | 262 server_name www.example.com; |
263 ssl on; | 263 ssl on; |
264 ssl_certificate www.nginx.com.crt; | 264 ssl_certificate www.example.com.crt; |
265 ... | 265 ... |
266 } | 266 } |
267 | 267 |
268 server { | 268 server { |
269 listen 443; | 269 listen 443; |
270 server_name www.nginx.org; | 270 server_name www.example.org; |
271 ssl on; | 271 ssl on; |
272 ssl_certificate www.nginx.org.crt; | 272 ssl_certificate www.example.org.crt; |
273 ... | 273 ... |
274 } | 274 } |
275 </programlisting> | 275 </programlisting> |
276 | 276 |
277 With this configuration a browser receives the certificate of the default | 277 With this configuration a browser receives the certificate of the default |
278 server, i.e., <url>www.nginx.com</url> regardless of the requested server name. | 278 server, i.e., <url>www.example.com</url> regardless of the requested server name. |
279 This is caused by SSL protocol behaviour. The SSL connection is established | 279 This is caused by SSL protocol behaviour. The SSL connection is established |
280 before the browser sends an HTTP request and nginx does not know | 280 before the browser sends an HTTP request and nginx does not know |
281 the name of the requested server. Therefore, it may only offer the certificate | 281 the name of the requested server. Therefore, it may only offer the certificate |
282 of the default server. | 282 of the default server. |
283 </para> | 283 </para> |
287 is to assign a separate IP address for every HTTPS server: | 287 is to assign a separate IP address for every HTTPS server: |
288 | 288 |
289 <programlisting> | 289 <programlisting> |
290 server { | 290 server { |
291 listen 192.168.1.1:443; | 291 listen 192.168.1.1:443; |
292 server_name www.nginx.com; | 292 server_name www.example.com; |
293 ssl on; | 293 ssl on; |
294 ssl_certificate www.nginx.com.crt; | 294 ssl_certificate www.example.com.crt; |
295 ... | 295 ... |
296 } | 296 } |
297 | 297 |
298 server { | 298 server { |
299 listen 192.168.1.2:443; | 299 listen 192.168.1.2:443; |
300 server_name www.nginx.org; | 300 server_name www.example.org; |
301 ssl on; | 301 ssl on; |
302 ssl_certificate www.nginx.org.crt; | 302 ssl_certificate www.example.org.crt; |
303 ... | 303 ... |
304 } | 304 } |
305 </programlisting> | 305 </programlisting> |
306 </para> | 306 </para> |
307 | 307 |
313 | 313 |
314 <para> | 314 <para> |
315 There are other ways to share a single IP address between several | 315 There are other ways to share a single IP address between several |
316 HTTPS servers, however, all of them have drawbacks. | 316 HTTPS servers, however, all of them have drawbacks. |
317 One way is to use a certificate with several names in | 317 One way is to use a certificate with several names in |
318 the SubjectAltName certificate field, for example, <url>www.nginx.com</url> | 318 the SubjectAltName certificate field, for example, <url>www.example.com</url> |
319 and <url>www.nginx.org</url>. | 319 and <url>www.example.org</url>. |
320 However, the SubjectAltName field length is limited. | 320 However, the SubjectAltName field length is limited. |
321 </para> | 321 </para> |
322 | 322 |
323 <para> | 323 <para> |
324 Another way is to use a certificate with a wildcard name, for example, | 324 Another way is to use a certificate with a wildcard name, for example, |
325 <url>*.nginx.org</url>. This certificate matches | 325 <url>*.example.org</url>. This certificate matches |
326 <url>www.nginx.org</url>, but does not match <url>nginx.org</url> | 326 <url>www.example.org</url>, but does not match <url>example.org</url> |
327 and <url>www.sub.nginx.org</url>. These two methods can also be combined. | 327 and <url>www.sub.example.org</url>. These two methods can also be combined. |
328 A certificate may contain exact and wildcard names in the SubjectAltName field, | 328 A certificate may contain exact and wildcard names in the SubjectAltName field, |
329 for example, <url>nginx.org</url> and <url>*.nginx.org</url>. | 329 for example, <url>example.org</url> and <url>*.example.org</url>. |
330 </para> | 330 </para> |
331 | 331 |
332 <para> | 332 <para> |
333 It is better to place a certificate file with several names and | 333 It is better to place a certificate file with several names and |
334 its private key file at the <i>http</i> level of configuration | 334 its private key file at the <i>http</i> level of configuration |
338 ssl_certificate common.crt; | 338 ssl_certificate common.crt; |
339 ssl_certificate_key common.key; | 339 ssl_certificate_key common.key; |
340 | 340 |
341 server { | 341 server { |
342 listen 443; | 342 listen 443; |
343 server_name www.nginx.com; | 343 server_name www.example.com; |
344 ssl on; | 344 ssl on; |
345 ... | 345 ... |
346 } | 346 } |
347 | 347 |
348 server { | 348 server { |
349 listen 443; | 349 listen 443; |
350 server_name www.nginx.org; | 350 server_name www.example.org; |
351 ssl on; | 351 ssl on; |
352 ... | 352 ... |
353 } | 353 } |
354 </programlisting> | 354 </programlisting> |
355 </para> | 355 </para> |