Opened 7 years ago

Closed 5 years ago

#1183 closed enhancement (fixed)

Add support for variables (or pool) inside ssl_certificate / ssl_certificate_key directives

Reported by: sunnybear@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.9.x
Keywords: Cc:
uname -a: Linux xxx 3.10.0-327.el7.x86_64 #1 SMP Thu Nov 19 22:10:57 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.11.8
built by gcc 4.8.2 20140120 (Red Hat 4.8.2-15) (GCC)
built with OpenSSL 1.0.2e 3 Dec 2015
TLS SNI support enabled
configure arguments: --add-module=/root/ngx_devel_kit --add-module=/root/set-misc-nginx-module --add-module=/root/echo-nginx-module --add-module=/root/nginx-eval-module --add-module=/root/ngx_http_substitutions_filter_module --add-module=/root/replace-filter-nginx-module --add-module=/root/ngx_brotli --add-module=/root/sdch_module --with-zlib=/root/zlib-1.2.8 --with-cc-opt='-DNGX_HAVE_ACCEPT4=0 -DTCP_FASTOPEN=23 -O2 -fomit-frame-pointer' --with-ipv6 --with-http_v2_module --with-http_ssl_module --with-openssl=/root/openssl --with-http_gzip_static_module --with-http_gunzip_module --with-http_sub_module --without-http_access_module --without-http_autoindex_module --without-http_empty_gif_module --without-http_memcached_module --without-http_referer_module --without-http_scgi_module --without-http_split_clients_module --without-http_uwsgi_module --with-pcre=/root/pcre --with-pcre-jit --with-ld-opt=-Wl,-rpath,/usr/local/lib

Description

Nginx directives ssl_certificate / ssl_certificate_key leak variables support, so for now it's impossible to have generic nginx config for multiple websites listening to 443 port (each with its own cert).

As I understand ssl_certificate is important on config compilation phase (stapling, oscp, etc) - nginx restart - and can't be provided dynamically (on HTTP request phase). But there can be another way - i.e. ssl_certificates pool - which can be used dynamically on SNI requests based on HTTP Host header (and hosts can be obtained from certificates itself).

Any way to provide generic nginx config with multiple 'on-fly' SSL certificates is affordable. But the best way (from my point of view) is to provide support for either (1) or (2) configuration:

(1)
server {
listen 443 ssl http2;
server_name website1.com website2.com;
ssl_certificate ssl/certifiates/$host.crt;
ssl_certificate_key ssl/certificates/$host.key;
}

(2)
server {
listen 443 ssl http2;
server_name website1.com website2.com;
ssl_certificate_pool ssl/certifiates/website1.crt;
ssl_certificate_pool ssl/certifiates/website2.crt;
}

Change History (1)

comment:1 by Maxim Dounin, 5 years ago

Resolution: fixed
Status: newclosed

Variables support was added in nginx 1.15.9. Note though that this have various performance and security implications, and if in your setup it is possible to load certificates while loading the configuration, it is better to do so - providing appropriate server{} blocks with certificates configured.

Note: See TracTickets for help on using tickets.