nginx-site: xml/en/docs/http/configuring_https

comparison xml/en/docs/http/configuring_https_servers.xml @ 801:b95a6d779c89

Documented that "listen ... ssl" is preferred over "ssl on".

author	Ruslan Ermilov <ru@nginx.com>
date	Thu, 27 Dec 2012 17:16:39 +0000
parents	2ceaef0e84a1
children	4fecf0715bbf

comparison

equal deleted inserted replaced

-:015981070efd
+:b95a6d779c89
 <!DOCTYPE article SYSTEM "../../../../dtd/article.dtd">
 <article name="Configuring HTTPS servers"
 link="/en/docs/http/configuring_https_servers.html"
 lang="en"
-rev="4"
+rev="5"
 author="Igor Sysoev"
 editor="Brian Mercer">
 <section>
 <para>
-To configure an HTTPS server, the SSL protocol must be enabled
+To configure an HTTPS server, the <literal>ssl</literal> parameter
-in the server block, and the locations of the server certificate
+must be enabled on
+<link doc="ngx_http_core_module.xml" id="listen">listening sockets</link>
+in the <link doc="ngx_http_core_module.xml" id="server"/> block,
+and the locations of the server certificate
 and private key files should be specified:
 <programlisting>
 server {
-listen              443;
+listen              443 <b>ssl</b>;
 server_name         www.example.com;
-ssl                 <b>on</b>;
 ssl_certificate     <b>www.example.com.crt</b>;
 ssl_certificate_key <b>www.example.com.key</b>;
 ssl_protocols       SSLv3 TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers         HIGH:!aNULL:!MD5;
 ...
 http {
 <b>ssl_session_cache   shared:SSL:10m</b>;
 <b>ssl_session_timeout 10m</b>;
 server {
-listen              443;
+listen              443 ssl;
 server_name         www.example.com;
 <b>keepalive_timeout   70</b>;
-ssl                 on;
 ssl_certificate     www.example.com.crt;
 ssl_certificate_key www.example.com.key;
 ssl_protocols       SSLv3 TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers         HIGH:!aNULL:!MD5;
 ...
 The resulting file should be used in the
 <link doc="ngx_http_ssl_module.xml" id="ssl_certificate"/> directive:
 <programlisting>
 server {
-listen              443;
+listen              443 ssl;
 server_name         www.example.com;
-ssl                 on;
 ssl_certificate     www.example.com.chained.crt;
 ssl_certificate_key www.example.com.key;
 ...
 }
 </programlisting>
 <section id="single_http_https_server" name="A single HTTP/HTTPS server">
 <para>
-If HTTP and HTTPS servers are equal,
+It is possible to configure a single server that handles both HTTP
-a single server that handles both HTTP and HTTPS requests may be configured
+and HTTPS requests:
-by deleting the directive “<literal>ssl on</literal>”
-and adding the <literal>ssl</literal> parameter for *:443 port:
 <programlisting>
 server {
 listen              80;
 listen              443 ssl;
 ...
 }
 </programlisting>
 <note>
-Prior to 0.8.21, nginx only allows the <literal>ssl</literal> parameter
+Prior to 0.7.14 SSL could not be enabled selectively for
-to be set on listen sockets with the <literal>default</literal> parameter:
+individual listening sockets, as shown above.
-<programlisting>
+SSL could only be enabled for the entire server using the
-listen 443 default ssl;
+<link doc="ngx_http_ssl_module.xml" id="ssl"/> directive,
-</programlisting>
+making it impossible to set up a single HTTP/HTTPS server.
+The <literal>ssl</literal> parameter of the
+<link doc="ngx_http_core_module.xml" id="listen"/> directive
+was added to solve this issue.
+The use of the
+<link doc="ngx_http_ssl_module.xml" id="ssl"/> directive
+in modern versions is thus discouraged.
 </note>
 </para>
 </section>
 A common issue arises when configuring two or more HTTPS servers
 listening on a single IP address:
 <programlisting>
 server {
-listen          443;
+listen          443 ssl;
 server_name     www.example.com;
-ssl             on;
 ssl_certificate www.example.com.crt;
 ...
 }
 server {
-listen          443;
+listen          443 ssl;
 server_name     www.example.org;
-ssl             on;
 ssl_certificate www.example.org.crt;
 ...
 }
 </programlisting>
 The oldest and most robust method to resolve the issue
 is to assign a separate IP address for every HTTPS server:
 <programlisting>
 server {
-listen          192.168.1.1:443;
+listen          192.168.1.1:443 ssl;
 server_name     www.example.com;
-ssl             on;
 ssl_certificate www.example.com.crt;
 ...
 }
 server {
-listen          192.168.1.2:443;
+listen          192.168.1.2:443 ssl;
 server_name     www.example.org;
-ssl             on;
 ssl_certificate www.example.org.crt;
 ...
 }
 </programlisting>
 </para>
-</section>
 <section id="certificate_with_several_names"
 name="An SSL certificate with several names">
 <programlisting>
 ssl_certificate     common.crt;
 ssl_certificate_key common.key;
 server {
-listen          443;
+listen          443 ssl;
 server_name     www.example.com;
-ssl             on;
+...
-...
+}
-}
+server {
-server {
+listen          443 ssl;
-listen          443;
 server_name     www.example.org;
-ssl             on;
 ...
 }
 </programlisting>
 </para>
 </programlisting>
 </para>
 </section>
+</section>
 <section id="compatibility" name="Compatibility">
 <para>
 <list type="bullet">
 <listitem>
 The <literal>ssl</literal> parameter of the
 <link doc="ngx_http_core_module.xml" id="listen"/>
 directive has been supported since 0.7.14.
+Prior to 0.8.21 it could only be specified along with the
+<literal>default</literal> parameter.
 </listitem>
 <listitem>
 SNI has been supported since 0.5.32.
 </listitem>

Mercurial > hg > nginx-site

comparison xml/en/docs/http/configuring_https_servers.xml @ 801:b95a6d779c89