#1705 closed enhancement (wontfix)
Enable ssl if ssl_certificate is present
| Reported by: | Olaf van der Spek | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | other | Version: | 1.15.x |
| Keywords: | Cc: | ||
| uname -a: | Linux unstable 4.19.0-1-amd64 #1 SMP Debian 4.19.13-1 (2018-12-30) x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.14.2
built with OpenSSL 1.1.1a 20 Nov 2018 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-sWHVb6/nginx-1.14.2=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/build/nginx-sWHVb6/nginx-1.14.2/debian/modules/http-auth-pam --add-dynamic-module=/build/nginx-sWHVb6/nginx-1.14.2/debian/modules/http-dav-ext --add-dynamic-module=/build/nginx-sWHVb6/nginx-1.14.2/debian/modules/http-echo --add-dynamic-module=/build/nginx-sWHVb6/nginx-1.14.2/debian/modules/http-upstream-fair --add-dynamic-module=/build/nginx-sWHVb6/nginx-1.14.2/debian/modules/http-subs-filter |
||
Description
If the directive is not present then either *:80 is used if nginx runs with the superuser privileges, or *:8000 otherwise.
To simplify configuration and save some boilerplate, could ssl be enabled automatically if the ssl_certificate key is present in a server block (and no listen keys are present)?
Change History (3)
comment:1 by , 6 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
comment:3 by , 6 years ago
Because it is better to be explicit in what you want from the configuration, and even listen 80 / listen 8080 logic has too many moving parts to work reliably, and to be usable in practice. The problem is that you cannot predict what will happen when looking at the configuration without checking various other parts of the configuration and additional startup details. Further, changes in these other parts and startup details may unexpectedly change what the configuration does.
E.g., if port 443 is already used by another server, with your suggestion a configuration might stop working at all if an ssl certificate is added to the configuration at http level, and so this would trigger introduction of listen 443 ssl in some unrelated server block this certificate will be inherited into. We may try to resolve this by only introducing listen 443 ssl if a certificate is explicitly specified in the server block (but not inherited into it), but this contradicts normal logic of how configuration inheritance work in nginx, and will further confuse people.
I don't think this is a good feature. Rather, I would prefer to remove
listen 80/listen 8080default, but this is probably not a good idea from compatibility point of view.