Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#1705 closed enhancement (wontfix)

Enable ssl if ssl_certificate is present

Reported by: Olaf van der Spek Owned by:
Priority: minor Milestone:
Component: other Version: 1.15.x
Keywords: Cc:
uname -a: Linux unstable 4.19.0-1-amd64 #1 SMP Debian 4.19.13-1 (2018-12-30) x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.14.2
built with OpenSSL 1.1.1a 20 Nov 2018
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-sWHVb6/nginx-1.14.2=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/ --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/build/nginx-sWHVb6/nginx-1.14.2/debian/modules/http-auth-pam --add-dynamic-module=/build/nginx-sWHVb6/nginx-1.14.2/debian/modules/http-dav-ext --add-dynamic-module=/build/nginx-sWHVb6/nginx-1.14.2/debian/modules/http-echo --add-dynamic-module=/build/nginx-sWHVb6/nginx-1.14.2/debian/modules/http-upstream-fair --add-dynamic-module=/build/nginx-sWHVb6/nginx-1.14.2/debian/modules/http-subs-filter


If the directive is not present then either *:80 is used if nginx runs with the superuser privileges, or *:8000 otherwise.

To simplify configuration and save some boilerplate, could ssl be enabled automatically if the ssl_certificate key is present in a server block (and no listen keys are present)?

Change History (3)

comment:1 by Maxim Dounin, 6 years ago

Resolution: wontfix
Status: newclosed

I don't think this is a good feature. Rather, I would prefer to remove listen 80 / listen 8080 default, but this is probably not a good idea from compatibility point of view.

comment:2 by Olaf van der Spek, 6 years ago

I don't think this is a good feature.


comment:3 by Maxim Dounin, 6 years ago

Because it is better to be explicit in what you want from the configuration, and even listen 80 / listen 8080 logic has too many moving parts to work reliably, and to be usable in practice. The problem is that you cannot predict what will happen when looking at the configuration without checking various other parts of the configuration and additional startup details. Further, changes in these other parts and startup details may unexpectedly change what the configuration does.

E.g., if port 443 is already used by another server, with your suggestion a configuration might stop working at all if an ssl certificate is added to the configuration at http level, and so this would trigger introduction of listen 443 ssl in some unrelated server block this certificate will be inherited into. We may try to resolve this by only introducing listen 443 ssl if a certificate is explicitly specified in the server block (but not inherited into it), but this contradicts normal logic of how configuration inheritance work in nginx, and will further confuse people.

Note: See TracTickets for help on using tickets.