Opened 11 months ago

Closed 11 months ago

Last modified 11 months ago

#1705 closed enhancement (wontfix)

Enable ssl if ssl_certificate is present

Reported by: olafvdspek@… Owned by:
Priority: minor Milestone:
Component: other Version: 1.15.x
Keywords: Cc:
uname -a: Linux unstable 4.19.0-1-amd64 #1 SMP Debian 4.19.13-1 (2018-12-30) x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.14.2 built with OpenSSL 1.1.1a 20 Nov 2018 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-sWHVb6/nginx-1.14.2=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/ --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/build/nginx-sWHVb6/nginx-1.14.2/debian/modules/http-auth-pam --add-dynamic-module=/build/nginx-sWHVb6/nginx-1.14.2/debian/modules/http-dav-ext --add-dynamic-module=/build/nginx-sWHVb6/nginx-1.14.2/debian/modules/http-echo --add-dynamic-module=/build/nginx-sWHVb6/nginx-1.14.2/debian/modules/http-upstream-fair --add-dynamic-module=/build/nginx-sWHVb6/nginx-1.14.2/debian/modules/http-subs-filter


If the directive is not present then either *:80 is used if nginx runs with the superuser privileges, or *:8000 otherwise.

To simplify configuration and save some boilerplate, could ssl be enabled automatically if the ssl_certificate key is present in a server block (and no listen keys are present)?

Change History (3)

comment:1 Changed 11 months ago by mdounin

  • Resolution set to wontfix
  • Status changed from new to closed

I don't think this is a good feature. Rather, I would prefer to remove listen 80 / listen 8080 default, but this is probably not a good idea from compatibility point of view.

comment:2 Changed 11 months ago by olafvdspek@…

I don't think this is a good feature.


comment:3 Changed 11 months ago by mdounin

Because it is better to be explicit in what you want from the configuration, and even listen 80 / listen 8080 logic has too many moving parts to work reliably, and to be usable in practice. The problem is that you cannot predict what will happen when looking at the configuration without checking various other parts of the configuration and additional startup details. Further, changes in these other parts and startup details may unexpectedly change what the configuration does.

E.g., if port 443 is already used by another server, with your suggestion a configuration might stop working at all if an ssl certificate is added to the configuration at http level, and so this would trigger introduction of listen 443 ssl in some unrelated server block this certificate will be inherited into. We may try to resolve this by only introducing listen 443 ssl if a certificate is explicitly specified in the server block (but not inherited into it), but this contradicts normal logic of how configuration inheritance work in nginx, and will further confuse people.

Note: See TracTickets for help on using tickets.