Opened 8 years ago
Closed 6 years ago
#1183 closed enhancement (fixed)
Add support for variables (or pool) inside ssl_certificate / ssl_certificate_key directives
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-module | Version: | 1.9.x |
Keywords: | Cc: | ||
uname -a: | Linux xxx 3.10.0-327.el7.x86_64 #1 SMP Thu Nov 19 22:10:57 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.11.8
built by gcc 4.8.2 20140120 (Red Hat 4.8.2-15) (GCC) built with OpenSSL 1.0.2e 3 Dec 2015 TLS SNI support enabled configure arguments: --add-module=/root/ngx_devel_kit --add-module=/root/set-misc-nginx-module --add-module=/root/echo-nginx-module --add-module=/root/nginx-eval-module --add-module=/root/ngx_http_substitutions_filter_module --add-module=/root/replace-filter-nginx-module --add-module=/root/ngx_brotli --add-module=/root/sdch_module --with-zlib=/root/zlib-1.2.8 --with-cc-opt='-DNGX_HAVE_ACCEPT4=0 -DTCP_FASTOPEN=23 -O2 -fomit-frame-pointer' --with-ipv6 --with-http_v2_module --with-http_ssl_module --with-openssl=/root/openssl --with-http_gzip_static_module --with-http_gunzip_module --with-http_sub_module --without-http_access_module --without-http_autoindex_module --without-http_empty_gif_module --without-http_memcached_module --without-http_referer_module --without-http_scgi_module --without-http_split_clients_module --without-http_uwsgi_module --with-pcre=/root/pcre --with-pcre-jit --with-ld-opt=-Wl,-rpath,/usr/local/lib |
Description
Nginx directives ssl_certificate / ssl_certificate_key leak variables support, so for now it's impossible to have generic nginx config for multiple websites listening to 443 port (each with its own cert).
As I understand ssl_certificate is important on config compilation phase (stapling, oscp, etc) - nginx restart - and can't be provided dynamically (on HTTP request phase). But there can be another way - i.e. ssl_certificates pool - which can be used dynamically on SNI requests based on HTTP Host header (and hosts can be obtained from certificates itself).
Any way to provide generic nginx config with multiple 'on-fly' SSL certificates is affordable. But the best way (from my point of view) is to provide support for either (1) or (2) configuration:
(1)
server {
listen 443 ssl http2;
server_name website1.com website2.com;
ssl_certificate ssl/certifiates/$host.crt;
ssl_certificate_key ssl/certificates/$host.key;
}
(2)
server {
listen 443 ssl http2;
server_name website1.com website2.com;
ssl_certificate_pool ssl/certifiates/website1.crt;
ssl_certificate_pool ssl/certifiates/website2.crt;
}
Variables support was added in nginx 1.15.9. Note though that this have various performance and security implications, and if in your setup it is possible to load certificates while loading the configuration, it is better to do so - providing appropriate server{} blocks with certificates configured.