Opened 2 years ago

Closed 2 years ago

#1580 closed enhancement (worksforme)

Deprecate 'ssl on;'

Reported by: teward@… Owned by:
Priority: minor Milestone:
Component: other Version:
Keywords: Cc:
uname -a:
nginx -V: nginx version: nginx/1.15.0
built with OpenSSL 1.1.0g 2 Nov 2017
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-Y8rEl9/nginx-1.15.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/ --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/build/nginx-Y8rEl9/nginx-1.15.0/debian/modules/http-auth-pam --add-dynamic-module=/build/nginx-Y8rEl9/nginx-1.15.0/debian/modules/http-dav-ext --add-dynamic-module=/build/nginx-Y8rEl9/nginx-1.15.0/debian/modules/http-echo --add-dynamic-module=/build/nginx-Y8rEl9/nginx-1.15.0/debian/modules/http-upstream-fair --add-dynamic-module=/build/nginx-Y8rEl9/nginx-1.15.0/debian/modules/http-subs-filter


It has been some time since ssl on; was replaced with the capability to enable SSL listeners at the listen statement with listen 443 ssl.

I occasionally come across people setting up both SSL and non-SSL in the same server { } block using old configurations which had ssl on; in them, which in turn breaks non-SSL'd traffic on the non-SSL ports.

Perhaps it's time to finally deprecate the ssl on; directive, in favor of the listen with ssl option instead? This may break ancient configurations, but it will prevent some confusion for people who're following ancient guides and are trying to solve the problem of getting both HTTP and HTTPS to work.

Change History (2)

comment:1 by teward@…, 2 years ago

Note that this ticket is version agnostic, and does not need to be bound to a specific NGINX version string.

comment:2 by Maxim Dounin, 2 years ago

Resolution: worksforme
Status: newclosed

The "ssl" directive is already deprecated starting with nginx 1.15.0 and will produce a warning when used. Quoting CHANGES:

Changes with nginx 1.15.0                                        05 Jun 2018

    *) Change: the "ssl" directive is deprecated; the "ssl" parameter of the
       "listen" directive should be used instead.

See 46c0c7ef4913 for details.

Note: See TracTickets for help on using tickets.