Opened 9 months ago

#1183 new enhancement

Add support for variables (or pool) inside ssl_certificate / ssl_certificate_key directives

Reported by: sunnybear@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.9.x
Keywords: Cc:
Sensitive: no
uname -a: Linux xxx 3.10.0-327.el7.x86_64 #1 SMP Thu Nov 19 22:10:57 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.11.8 built by gcc 4.8.2 20140120 (Red Hat 4.8.2-15) (GCC) built with OpenSSL 1.0.2e 3 Dec 2015 TLS SNI support enabled configure arguments: --add-module=/root/ngx_devel_kit --add-module=/root/set-misc-nginx-module --add-module=/root/echo-nginx-module --add-module=/root/nginx-eval-module --add-module=/root/ngx_http_substitutions_filter_module --add-module=/root/replace-filter-nginx-module --add-module=/root/ngx_brotli --add-module=/root/sdch_module --with-zlib=/root/zlib-1.2.8 --with-cc-opt='-DNGX_HAVE_ACCEPT4=0 -DTCP_FASTOPEN=23 -O2 -fomit-frame-pointer' --with-ipv6 --with-http_v2_module --with-http_ssl_module --with-openssl=/root/openssl --with-http_gzip_static_module --with-http_gunzip_module --with-http_sub_module --without-http_access_module --without-http_autoindex_module --without-http_empty_gif_module --without-http_memcached_module --without-http_referer_module --without-http_scgi_module --without-http_split_clients_module --without-http_uwsgi_module --with-pcre=/root/pcre --with-pcre-jit --with-ld-opt=-Wl,-rpath,/usr/local/lib


Nginx directives ssl_certificate / ssl_certificate_key leak variables support, so for now it's impossible to have generic nginx config for multiple websites listening to 443 port (each with its own cert).

As I understand ssl_certificate is important on config compilation phase (stapling, oscp, etc) - nginx restart - and can't be provided dynamically (on HTTP request phase). But there can be another way - i.e. ssl_certificates pool - which can be used dynamically on SNI requests based on HTTP Host header (and hosts can be obtained from certificates itself).

Any way to provide generic nginx config with multiple 'on-fly' SSL certificates is affordable. But the best way (from my point of view) is to provide support for either (1) or (2) configuration:

server {
listen 443 ssl http2;
ssl_certificate ssl/certifiates/$host.crt;
ssl_certificate_key ssl/certificates/$host.key;

server {
listen 443 ssl http2;
ssl_certificate_pool ssl/certifiates/website1.crt;
ssl_certificate_pool ssl/certifiates/website2.crt;

Change History (0)

Note: See TracTickets for help on using tickets.