Mercurial > hg > nginx-site
diff xml/en/docs/http/configuring_https_servers.xml @ 490:9913f1d51c07
Replaced "nginx" domain names with example domains.
| author | Ruslan Ermilov <ru@nginx.com> |
|---|---|
| date | Thu, 19 Apr 2012 12:30:24 +0000 |
| parents | 6135f3c95bf6 |
| children | be54c443235a |
line wrap: on
line diff
--- a/xml/en/docs/http/configuring_https_servers.xml Thu Apr 19 09:54:55 2012 +0000 +++ b/xml/en/docs/http/configuring_https_servers.xml Thu Apr 19 12:30:24 2012 +0000 @@ -16,10 +16,10 @@ <programlisting> server { listen 443; - server_name www.nginx.com; + server_name www.example.com; ssl on; - ssl_certificate www.nginx.com.crt; - ssl_certificate_key www.nginx.com.key; + ssl_certificate www.example.com.crt; + ssl_certificate_key www.example.com.key; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; ... @@ -33,8 +33,8 @@ The private key may alternately be stored in the same file as the certificate: <programlisting> - ssl_certificate www.nginx.com.cert; - ssl_certificate_key www.nginx.com.cert; + ssl_certificate www.example.com.cert; + ssl_certificate_key www.example.com.cert; </programlisting> in which case the file access rights should also be restricted. @@ -101,12 +101,12 @@ server { listen 443; - server_name www.nginx.com; + server_name www.example.com; <b>keepalive_timeout 70</b>; ssl on; - ssl_certificate www.nginx.com.crt; - ssl_certificate_key www.nginx.com.key; + ssl_certificate www.example.com.crt; + ssl_certificate_key www.example.com.key; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; ... @@ -132,7 +132,7 @@ in the combined file: <programlisting> -$ cat www.nginx.com.crt bundle.crt > www.nginx.com.chained.crt +$ cat www.example.com.crt bundle.crt > www.example.com.chained.crt </programlisting> The resulting file should be used in the @@ -142,10 +142,10 @@ <programlisting> server { listen 443; - server_name www.nginx.com; + server_name www.example.com; ssl on; - ssl_certificate www.nginx.com.chained.crt; - ssl_certificate_key www.nginx.com.key; + ssl_certificate www.example.com.chained.crt; + ssl_certificate_key www.example.com.key; ... } </programlisting> @@ -154,7 +154,7 @@ order, nginx will fail to start and will display the error message: <programlisting> -SSL_CTX_use_PrivateKey_file(" ... /www.nginx.com.key") failed +SSL_CTX_use_PrivateKey_file(" ... /www.example.com.key") failed (SSL: error:0B080074:x509 certificate routines: X509_check_private_key:key values mismatch) </programlisting> @@ -231,9 +231,9 @@ server { listen 80; listen 443 ssl; - server_name www.nginx.com; - ssl_certificate www.nginx.com.crt; - ssl_certificate_key www.nginx.com.key; + server_name www.example.com; + ssl_certificate www.example.com.crt; + ssl_certificate_key www.example.com.key; ... } </programlisting> @@ -259,23 +259,23 @@ <programlisting> server { listen 443; - server_name www.nginx.com; + server_name www.example.com; ssl on; - ssl_certificate www.nginx.com.crt; + ssl_certificate www.example.com.crt; ... } server { listen 443; - server_name www.nginx.org; + server_name www.example.org; ssl on; - ssl_certificate www.nginx.org.crt; + ssl_certificate www.example.org.crt; ... } </programlisting> With this configuration a browser receives the certificate of the default -server, i.e., <url>www.nginx.com</url> regardless of the requested server name. +server, i.e., <url>www.example.com</url> regardless of the requested server name. This is caused by SSL protocol behaviour. The SSL connection is established before the browser sends an HTTP request and nginx does not know the name of the requested server. Therefore, it may only offer the certificate @@ -289,17 +289,17 @@ <programlisting> server { listen 192.168.1.1:443; - server_name www.nginx.com; + server_name www.example.com; ssl on; - ssl_certificate www.nginx.com.crt; + ssl_certificate www.example.com.crt; ... } server { listen 192.168.1.2:443; - server_name www.nginx.org; + server_name www.example.org; ssl on; - ssl_certificate www.nginx.org.crt; + ssl_certificate www.example.org.crt; ... } </programlisting> @@ -315,18 +315,18 @@ There are other ways to share a single IP address between several HTTPS servers, however, all of them have drawbacks. One way is to use a certificate with several names in -the SubjectAltName certificate field, for example, <url>www.nginx.com</url> -and <url>www.nginx.org</url>. +the SubjectAltName certificate field, for example, <url>www.example.com</url> +and <url>www.example.org</url>. However, the SubjectAltName field length is limited. </para> <para> Another way is to use a certificate with a wildcard name, for example, -<url>*.nginx.org</url>. This certificate matches -<url>www.nginx.org</url>, but does not match <url>nginx.org</url> -and <url>www.sub.nginx.org</url>. These two methods can also be combined. +<url>*.example.org</url>. This certificate matches +<url>www.example.org</url>, but does not match <url>example.org</url> +and <url>www.sub.example.org</url>. These two methods can also be combined. A certificate may contain exact and wildcard names in the SubjectAltName field, -for example, <url>nginx.org</url> and <url>*.nginx.org</url>. +for example, <url>example.org</url> and <url>*.example.org</url>. </para> <para> @@ -340,14 +340,14 @@ server { listen 443; - server_name www.nginx.com; + server_name www.example.com; ssl on; ... } server { listen 443; - server_name www.nginx.org; + server_name www.example.org; ssl on; ... }