id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 1183 Add support for variables (or pool) inside ssl_certificate / ssl_certificate_key directives sunnybear@… "Nginx directives ssl_certificate / ssl_certificate_key leak variables support, so for now it's impossible to have generic nginx config for multiple websites listening to 443 port (each with its own cert). As I understand ssl_certificate is important on config compilation phase (stapling, oscp, etc) - nginx restart - and can't be provided dynamically (on HTTP request phase). But there can be another way - i.e. ssl_certificates pool - which can be used dynamically on SNI requests based on HTTP Host header (and hosts can be obtained from certificates itself). Any way to provide generic nginx config with multiple 'on-fly' SSL certificates is affordable. But the best way (from my point of view) is to provide support for either (1) or (2) configuration: (1) server { listen 443 ssl http2; server_name website1.com website2.com; ssl_certificate ssl/certifiates/$host.crt; ssl_certificate_key ssl/certificates/$host.key; } (2) server { listen 443 ssl http2; server_name website1.com website2.com; ssl_certificate_pool ssl/certifiates/website1.crt; ssl_certificate_pool ssl/certifiates/website2.crt; }" enhancement closed minor nginx-module 1.9.x fixed Linux xxx 3.10.0-327.el7.x86_64 #1 SMP Thu Nov 19 22:10:57 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux "nginx version: nginx/1.11.8 built by gcc 4.8.2 20140120 (Red Hat 4.8.2-15) (GCC) built with OpenSSL 1.0.2e 3 Dec 2015 TLS SNI support enabled configure arguments: --add-module=/root/ngx_devel_kit --add-module=/root/set-misc-nginx-module --add-module=/root/echo-nginx-module --add-module=/root/nginx-eval-module --add-module=/root/ngx_http_substitutions_filter_module --add-module=/root/replace-filter-nginx-module --add-module=/root/ngx_brotli --add-module=/root/sdch_module --with-zlib=/root/zlib-1.2.8 --with-cc-opt='-DNGX_HAVE_ACCEPT4=0 -DTCP_FASTOPEN=23 -O2 -fomit-frame-pointer' --with-ipv6 --with-http_v2_module --with-http_ssl_module --with-openssl=/root/openssl --with-http_gzip_static_module --with-http_gunzip_module --with-http_sub_module --without-http_access_module --without-http_autoindex_module --without-http_empty_gif_module --without-http_memcached_module --without-http_referer_module --without-http_scgi_module --without-http_split_clients_module --without-http_uwsgi_module --with-pcre=/root/pcre --with-pcre-jit --with-ld-opt=-Wl,-rpath,/usr/local/lib"