Mercurial > hg > nginx-site
annotate xml/en/docs/http/configuring_https_servers.xml @ 2769:16f6fa718be2
Updated TLSv1.3 support notes.
Previous notes described some early development snapshot of OpenSSL 1.1.1
with disabled TLSv1.3 by default. It was then enabled in the first alpha.
Further, the updated text covers later major releases such as OpenSSL 3.0.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Thu, 30 Sep 2021 16:29:20 +0300 |
parents | aac9e462320b |
children | 37e082fd009c |
rev | line source |
---|---|
580
be54c443235a
Added copyright markers to documentation sources.
Ruslan Ermilov <ru@nginx.com>
parents:
490
diff
changeset
|
1 <!-- |
be54c443235a
Added copyright markers to documentation sources.
Ruslan Ermilov <ru@nginx.com>
parents:
490
diff
changeset
|
2 Copyright (C) Igor Sysoev |
be54c443235a
Added copyright markers to documentation sources.
Ruslan Ermilov <ru@nginx.com>
parents:
490
diff
changeset
|
3 Copyright (C) Nginx, Inc. |
be54c443235a
Added copyright markers to documentation sources.
Ruslan Ermilov <ru@nginx.com>
parents:
490
diff
changeset
|
4 --> |
be54c443235a
Added copyright markers to documentation sources.
Ruslan Ermilov <ru@nginx.com>
parents:
490
diff
changeset
|
5 |
50 | 6 <!DOCTYPE article SYSTEM "../../../../dtd/article.dtd"> |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
7 |
123
7db449e89e92
Unified the use of the "name" attribute instead of "title".
Ruslan Ermilov <ru@nginx.com>
parents:
121
diff
changeset
|
8 <article name="Configuring HTTPS servers" |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
9 link="/en/docs/http/configuring_https_servers.html" |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
10 lang="en" |
2061
aac9e462320b
Added note about s_client and SNI (trac #708).
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2040
diff
changeset
|
11 rev="13" |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
12 author="Igor Sysoev" |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
13 editor="Brian Mercer"> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
14 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
15 <section> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
16 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
17 <para> |
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
18 To configure an HTTPS server, the <literal>ssl</literal> parameter |
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
19 must be enabled on |
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
20 <link doc="ngx_http_core_module.xml" id="listen">listening sockets</link> |
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
21 in the <link doc="ngx_http_core_module.xml" id="server"/> block, |
1733
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
22 and the locations of the |
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
23 <link doc="ngx_http_ssl_module.xml" id="ssl_certificate">server certificate</link> |
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
24 and |
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
25 <link doc="ngx_http_ssl_module.xml" id="ssl_certificate_key">private key</link> |
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
26 files should be specified: |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
27 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
28 <programlisting> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
29 server { |
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
30 listen 443 <b>ssl</b>; |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
31 server_name www.example.com; |
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
32 ssl_certificate <b>www.example.com.crt</b>; |
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
33 ssl_certificate_key <b>www.example.com.key</b>; |
1411
8fe28c6edaa1
Removed SSLv3 from ssl_protocols parameters list as insecure example.
Sergey Budnevitch <sb@waeme.net>
parents:
1144
diff
changeset
|
34 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
35 ssl_ciphers HIGH:!aNULL:!MD5; |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
36 ... |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
37 } |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
38 </programlisting> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
39 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
40 The server certificate is a public entity. |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
41 It is sent to every client that connects to the server. |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
42 The private key is a secure entity and should be stored in a file with |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
43 restricted access, however, it must be readable by nginx’s master process. |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
44 The private key may alternately be stored in the same file as the certificate: |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
45 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
46 <programlisting> |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
47 ssl_certificate www.example.com.cert; |
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
48 ssl_certificate_key www.example.com.cert; |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
49 </programlisting> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
50 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
51 in which case the file access rights should also be restricted. |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
52 Although the certificate and the key are stored in one file, |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
53 only the certificate is sent to a client. |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
54 </para> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
55 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
56 <para> |
271 | 57 The directives <link doc="ngx_http_ssl_module.xml" id="ssl_protocols"/> and |
58 <link doc="ngx_http_ssl_module.xml" id="ssl_ciphers"/> | |
59 can be used to limit connections | |
56 | 60 to include only the strong versions and ciphers of SSL/TLS. |
1499
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
61 By default nginx uses |
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
62 “<literal>ssl_protocols TLSv1 TLSv1.1 TLSv1.2</literal>” |
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
63 and “<literal>ssl_ciphers HIGH:!aNULL:!MD5</literal>”, |
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
64 so configuring them explicitly is generally not needed. |
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
65 Note that default values of these directives were |
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
66 <link id="compatibility">changed</link> several times. |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
67 </para> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
68 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
69 </section> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
70 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
71 |
121
49443032011c
Unified <section> syntax for "article" and "module" documents.
Ruslan Ermilov <ru@nginx.com>
parents:
98
diff
changeset
|
72 <section id="optimization" name="HTTPS server optimization"> |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
73 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
74 <para> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
75 SSL operations consume extra CPU resources. |
1733
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
76 On multi-processor systems several |
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
77 <link doc="../ngx_core_module.xml" id="worker_processes">worker processes</link> |
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
78 should be run, |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
79 no less than the number of available CPU cores. |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
80 The most CPU-intensive operation is the SSL handshake. |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
81 There are two ways to minimize the number of these operations per client: |
1733
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
82 the first is by enabling |
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
83 <link doc="ngx_http_core_module.xml" id="keepalive_timeout">keepalive</link> |
ecf2dd95ceb6
Added links in "Configuring HTTPS servers".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1505
diff
changeset
|
84 connections to send several |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
85 requests via one connection and the second is to reuse SSL session |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
86 parameters to avoid SSL handshakes for parallel and subsequent connections. |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
87 The sessions are stored in an SSL session cache shared between workers |
271 | 88 and configured by the |
89 <link doc="ngx_http_ssl_module.xml" id="ssl_session_cache"/> | |
90 directive. | |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
91 One megabyte of the cache contains about 4000 sessions. |
271 | 92 The default cache timeout is 5 minutes. |
93 It can be increased by using the | |
94 <link doc="ngx_http_ssl_module.xml" id="ssl_session_timeout"/> | |
95 directive. | |
817
4fecf0715bbf
Introducing "worker_processes auto" in SSL configuration examples.
Andrei Belov <defan@nginx.com>
parents:
801
diff
changeset
|
96 Here is a sample configuration optimized for a multi-core system |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
97 with 10 megabyte shared session cache: |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
98 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
99 <programlisting> |
817
4fecf0715bbf
Introducing "worker_processes auto" in SSL configuration examples.
Andrei Belov <defan@nginx.com>
parents:
801
diff
changeset
|
100 <b>worker_processes auto</b>; |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
101 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
102 http { |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
103 <b>ssl_session_cache shared:SSL:10m</b>; |
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
104 <b>ssl_session_timeout 10m</b>; |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
105 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
106 server { |
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
107 listen 443 ssl; |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
108 server_name www.example.com; |
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
109 <b>keepalive_timeout 70</b>; |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
110 |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
111 ssl_certificate www.example.com.crt; |
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
112 ssl_certificate_key www.example.com.key; |
1411
8fe28c6edaa1
Removed SSLv3 from ssl_protocols parameters list as insecure example.
Sergey Budnevitch <sb@waeme.net>
parents:
1144
diff
changeset
|
113 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
114 ssl_ciphers HIGH:!aNULL:!MD5; |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
115 ... |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
116 </programlisting> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
117 </para> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
118 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
119 </section> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
120 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
121 |
121
49443032011c
Unified <section> syntax for "article" and "module" documents.
Ruslan Ermilov <ru@nginx.com>
parents:
98
diff
changeset
|
122 <section id="chains" name="SSL certificate chains"> |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
123 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
124 <para> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
125 Some browsers may complain about a certificate signed by a well-known |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
126 certificate authority, while other browsers may accept the certificate |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
127 without issues. |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
128 This occurs because the issuing authority has signed the server certificate |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
129 using an intermediate certificate that is not present in the certificate |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
130 base of well-known trusted certificate authorities which is distributed |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
131 with a particular browser. |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
132 In this case the authority provides a bundle of chained certificates |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
133 which should be concatenated to the signed server certificate. |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
134 The server certificate must appear before the chained certificates |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
135 in the combined file: |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
136 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
137 <programlisting> |
490
9913f1d51c07
Replaced "nginx" domain names with example domains.
Ruslan Ermilov <ru@nginx.com>
parents:
461
diff
changeset
|
138 $ cat www.example.com.crt bundle.crt > www.example.com.chained.crt |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
139 </programlisting> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
140 |
271 | 141 The resulting file should be used in the |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
142 <link doc="ngx_http_ssl_module.xml" id="ssl_certificate"/> directive: |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
143 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
144 <programlisting> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
145 server { |
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
146 listen 443 ssl; |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
147 server_name www.example.com; |
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
148 ssl_certificate www.example.com.chained.crt; |
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
149 ssl_certificate_key www.example.com.key; |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
150 ... |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
151 } |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
152 </programlisting> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
153 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
154 If the server certificate and the bundle have been concatenated in the wrong |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
155 order, nginx will fail to start and will display the error message: |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
156 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
157 <programlisting> |
490
9913f1d51c07
Replaced "nginx" domain names with example domains.
Ruslan Ermilov <ru@nginx.com>
parents:
461
diff
changeset
|
158 SSL_CTX_use_PrivateKey_file(" ... /www.example.com.key") failed |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
159 (SSL: error:0B080074:x509 certificate routines: |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
160 X509_check_private_key:key values mismatch) |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
161 </programlisting> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
162 |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
163 because nginx has tried to use the private key with the bundle’s |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
164 first certificate instead of the server certificate. |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
165 </para> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
166 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
167 <para> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
168 Browsers usually store intermediate certificates which they receive |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
169 and which are signed by trusted authorities, so actively used browsers |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
170 may already have the required intermediate certificates and |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
171 may not complain about a certificate sent without a chained bundle. |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
172 To ensure the server sends the complete certificate chain, |
659
77a3314c74a7
Avoid the uses of second person.
Ruslan Ermilov <ru@nginx.com>
parents:
658
diff
changeset
|
173 the <command>openssl</command> command-line utility may be used, for example: |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
174 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
175 <programlisting> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
176 $ openssl s_client -connect www.godaddy.com:443 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
177 ... |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
178 Certificate chain |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
179 0 s:/C=US/ST=Arizona/L=Scottsdale/1.3.6.1.4.1.311.60.2.1.3=US |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
180 /1.3.6.1.4.1.311.60.2.1.2=AZ/O=GoDaddy.com, Inc |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
181 /OU=MIS Department/<b>CN=www.GoDaddy.com</b> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
182 /serialNumber=0796928-7/2.5.4.15=V1.0, Clause 5.(b) |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
183 i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc. |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
184 /OU=http://certificates.godaddy.com/repository |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
185 /CN=Go Daddy Secure Certification Authority |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
186 /serialNumber=07969287 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
187 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc. |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
188 /OU=http://certificates.godaddy.com/repository |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
189 /CN=Go Daddy Secure Certification Authority |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
190 /serialNumber=07969287 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
191 i:/C=US/O=The Go Daddy Group, Inc. |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
192 /OU=Go Daddy Class 2 Certification Authority |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
193 2 s:/C=US/O=The Go Daddy Group, Inc. |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
194 /OU=Go Daddy Class 2 Certification Authority |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
195 i:/L=ValiCert Validation Network/O=<b>ValiCert, Inc.</b> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
196 /OU=ValiCert Class 2 Policy Validation Authority |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
197 /CN=http://www.valicert.com//emailAddress=info@valicert.com |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
198 ... |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
199 </programlisting> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
200 |
2061
aac9e462320b
Added note about s_client and SNI (trac #708).
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2040
diff
changeset
|
201 <note> |
aac9e462320b
Added note about s_client and SNI (trac #708).
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2040
diff
changeset
|
202 When testing configurations with <link id="sni">SNI</link>, |
aac9e462320b
Added note about s_client and SNI (trac #708).
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2040
diff
changeset
|
203 it is important to specify the <literal>-servername</literal> option |
aac9e462320b
Added note about s_client and SNI (trac #708).
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2040
diff
changeset
|
204 as <command>openssl</command> does not use SNI by default. |
aac9e462320b
Added note about s_client and SNI (trac #708).
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2040
diff
changeset
|
205 </note> |
aac9e462320b
Added note about s_client and SNI (trac #708).
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2040
diff
changeset
|
206 |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
207 In this example the subject (“<i>s</i>”) of the |
593
130fad6dc1b4
Replaced the uses of "url" element with "literal".
Ruslan Ermilov <ru@nginx.com>
parents:
589
diff
changeset
|
208 <literal>www.GoDaddy.com</literal> server certificate #0 is signed by an issuer |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
209 (“<i>i</i>”) which itself is the subject of the certificate #1, |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
210 which is signed by an issuer which itself is the subject of the certificate #2, |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
211 which signed by the well-known issuer <i>ValiCert, Inc.</i> |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
212 whose certificate is stored in the browsers’ built-in |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
213 certificate base (that lay in the house that Jack built). |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
214 </para> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
215 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
216 <para> |
659
77a3314c74a7
Avoid the uses of second person.
Ruslan Ermilov <ru@nginx.com>
parents:
658
diff
changeset
|
217 If a certificate bundle has not been added, only the server certificate #0 |
77a3314c74a7
Avoid the uses of second person.
Ruslan Ermilov <ru@nginx.com>
parents:
658
diff
changeset
|
218 will be shown. |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
219 </para> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
220 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
221 </section> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
222 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
223 |
121
49443032011c
Unified <section> syntax for "article" and "module" documents.
Ruslan Ermilov <ru@nginx.com>
parents:
98
diff
changeset
|
224 <section id="single_http_https_server" name="A single HTTP/HTTPS server"> |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
225 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
226 <para> |
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
227 It is possible to configure a single server that handles both HTTP |
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
228 and HTTPS requests: |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
229 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
230 <programlisting> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
231 server { |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
232 listen 80; |
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
233 listen 443 ssl; |
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
234 server_name www.example.com; |
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
235 ssl_certificate www.example.com.crt; |
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
236 ssl_certificate_key www.example.com.key; |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
237 ... |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
238 } |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
239 </programlisting> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
240 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
241 <note> |
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
242 Prior to 0.7.14 SSL could not be enabled selectively for |
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
243 individual listening sockets, as shown above. |
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
244 SSL could only be enabled for the entire server using the |
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
245 <link doc="ngx_http_ssl_module.xml" id="ssl"/> directive, |
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
246 making it impossible to set up a single HTTP/HTTPS server. |
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
247 The <literal>ssl</literal> parameter of the |
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
248 <link doc="ngx_http_core_module.xml" id="listen"/> directive |
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
249 was added to solve this issue. |
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
250 The use of the |
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
251 <link doc="ngx_http_ssl_module.xml" id="ssl"/> directive |
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
252 in modern versions is thus discouraged. |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
253 </note> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
254 </para> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
255 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
256 </section> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
257 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
258 |
121
49443032011c
Unified <section> syntax for "article" and "module" documents.
Ruslan Ermilov <ru@nginx.com>
parents:
98
diff
changeset
|
259 <section id="name_based_https_servers" name="Name-based HTTPS servers"> |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
260 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
261 <para> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
262 A common issue arises when configuring two or more HTTPS servers |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
263 listening on a single IP address: |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
264 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
265 <programlisting> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
266 server { |
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
267 listen 443 ssl; |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
268 server_name www.example.com; |
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
269 ssl_certificate www.example.com.crt; |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
270 ... |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
271 } |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
272 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
273 server { |
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
274 listen 443 ssl; |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
275 server_name www.example.org; |
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
276 ssl_certificate www.example.org.crt; |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
277 ... |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
278 } |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
279 </programlisting> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
280 |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
281 With this configuration a browser receives the default server’s certificate, |
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
282 i.e. <literal>www.example.com</literal> regardless of the requested server name. |
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
283 This is caused by SSL protocol behaviour. |
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
284 The SSL connection is established before the browser sends an HTTP request |
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
285 and nginx does not know the name of the requested server. |
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
286 Therefore, it may only offer the default server’s certificate. |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
287 </para> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
288 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
289 <para> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
290 The oldest and most robust method to resolve the issue |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
291 is to assign a separate IP address for every HTTPS server: |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
292 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
293 <programlisting> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
294 server { |
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
295 listen 192.168.1.1:443 ssl; |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
296 server_name www.example.com; |
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
297 ssl_certificate www.example.com.crt; |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
298 ... |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
299 } |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
300 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
301 server { |
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
302 listen 192.168.1.2:443 ssl; |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
303 server_name www.example.org; |
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
304 ssl_certificate www.example.org.crt; |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
305 ... |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
306 } |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
307 </programlisting> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
308 </para> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
309 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
310 |
121
49443032011c
Unified <section> syntax for "article" and "module" documents.
Ruslan Ermilov <ru@nginx.com>
parents:
98
diff
changeset
|
311 <section id="certificate_with_several_names" |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
312 name="An SSL certificate with several names"> |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
313 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
314 <para> |
1144
ac131944d349
Changed infinitive to gerund after "allow".
Yaroslav Zhuravlev <yar@nginx.com>
parents:
817
diff
changeset
|
315 There are other ways that allow sharing a single IP address |
782
2ceaef0e84a1
Added a phrase about wildcard certificates into the English version of
Ruslan Ermilov <ru@nginx.com>
parents:
661
diff
changeset
|
316 between several HTTPS servers. |
2ceaef0e84a1
Added a phrase about wildcard certificates into the English version of
Ruslan Ermilov <ru@nginx.com>
parents:
661
diff
changeset
|
317 However, all of them have their drawbacks. |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
318 One way is to use a certificate with several names in |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
319 the SubjectAltName certificate field, for example, |
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
320 <literal>www.example.com</literal> and <literal>www.example.org</literal>. |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
321 However, the SubjectAltName field length is limited. |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
322 </para> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
323 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
324 <para> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
325 Another way is to use a certificate with a wildcard name, for example, |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
326 <literal>*.example.org</literal>. |
782
2ceaef0e84a1
Added a phrase about wildcard certificates into the English version of
Ruslan Ermilov <ru@nginx.com>
parents:
661
diff
changeset
|
327 A wildcard certificate secures all subdomains of the specified domain, |
2ceaef0e84a1
Added a phrase about wildcard certificates into the English version of
Ruslan Ermilov <ru@nginx.com>
parents:
661
diff
changeset
|
328 but only on one level. |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
329 This certificate matches <literal>www.example.org</literal>, but does not match |
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
330 <literal>example.org</literal> and <literal>www.sub.example.org</literal>. |
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
331 These two methods can also be combined. |
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
332 A certificate may contain exact and wildcard names in the |
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
333 SubjectAltName field, for example, |
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
334 <literal>example.org</literal> and <literal>*.example.org</literal>. |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
335 </para> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
336 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
337 <para> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
338 It is better to place a certificate file with several names and |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
339 its private key file at the <i>http</i> level of configuration |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
340 to inherit their single memory copy in all servers: |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
341 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
342 <programlisting> |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
343 ssl_certificate common.crt; |
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
344 ssl_certificate_key common.key; |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
345 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
346 server { |
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
347 listen 443 ssl; |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
348 server_name www.example.com; |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
349 ... |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
350 } |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
351 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
352 server { |
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
353 listen 443 ssl; |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
354 server_name www.example.org; |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
355 ... |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
356 } |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
357 </programlisting> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
358 </para> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
359 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
360 </section> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
361 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
362 |
121
49443032011c
Unified <section> syntax for "article" and "module" documents.
Ruslan Ermilov <ru@nginx.com>
parents:
98
diff
changeset
|
363 <section id="sni" name="Server Name Indication"> |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
364 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
365 <para> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
366 A more generic solution for running several HTTPS servers on a single |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
367 IP address is |
661
e1579b244800
SNI: expressed more clearly that passing of literal IP addresses in
Ruslan Ermilov <ru@nginx.com>
parents:
660
diff
changeset
|
368 <link url="http://en.wikipedia.org/wiki/Server_Name_Indication">TLS |
e1579b244800
SNI: expressed more clearly that passing of literal IP addresses in
Ruslan Ermilov <ru@nginx.com>
parents:
660
diff
changeset
|
369 Server Name Indication extension</link> (SNI, RFC 6066), |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
370 which allows a browser to pass a requested server name during the SSL handshake |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
371 and, therefore, the server will know which certificate it should use |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
372 for the connection. |
2040
093855e77388
Updated info about SNI.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1757
diff
changeset
|
373 SNI is currently |
093855e77388
Updated info about SNI.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1757
diff
changeset
|
374 <link url="http://en.wikipedia.org/wiki/Server_Name_Indication#Support">supported</link> |
093855e77388
Updated info about SNI.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1757
diff
changeset
|
375 by most modern browsers, though may not be used by some old or special clients. |
658
bd81a71006fe
Documented that most browsers won't pass an IP address
Ruslan Ermilov <ru@nginx.com>
parents:
593
diff
changeset
|
376 <note> |
661
e1579b244800
SNI: expressed more clearly that passing of literal IP addresses in
Ruslan Ermilov <ru@nginx.com>
parents:
660
diff
changeset
|
377 Only domain names can be passed in SNI, |
e1579b244800
SNI: expressed more clearly that passing of literal IP addresses in
Ruslan Ermilov <ru@nginx.com>
parents:
660
diff
changeset
|
378 however some browsers may erroneously pass an IP address of the server |
e1579b244800
SNI: expressed more clearly that passing of literal IP addresses in
Ruslan Ermilov <ru@nginx.com>
parents:
660
diff
changeset
|
379 as its name if a request includes literal IP address. |
e1579b244800
SNI: expressed more clearly that passing of literal IP addresses in
Ruslan Ermilov <ru@nginx.com>
parents:
660
diff
changeset
|
380 One should not rely on this. |
658
bd81a71006fe
Documented that most browsers won't pass an IP address
Ruslan Ermilov <ru@nginx.com>
parents:
593
diff
changeset
|
381 </note> |
bd81a71006fe
Documented that most browsers won't pass an IP address
Ruslan Ermilov <ru@nginx.com>
parents:
593
diff
changeset
|
382 </para> |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
383 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
384 <para> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
385 In order to use SNI in nginx, it must be supported in both the |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
386 OpenSSL library with which the nginx binary has been built as well as |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
387 the library to which it is being dynamically linked at run time. |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
388 OpenSSL supports SNI since 0.9.8f version if it was built with config option |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
389 <nobr>“--enable-tlsext”.</nobr> |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
390 Since OpenSSL 0.9.8j this option is enabled by default. |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
391 If nginx was built with SNI support, then nginx will show this |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
392 when run with the “-V” switch: |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
393 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
394 <programlisting> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
395 $ nginx -V |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
396 ... |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
397 TLS SNI support enabled |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
398 ... |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
399 </programlisting> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
400 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
401 However, if the SNI-enabled nginx is linked dynamically to |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
402 an OpenSSL library without SNI support, nginx displays the warning: |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
403 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
404 <programlisting> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
405 nginx was built with SNI support, however, now it is linked |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
406 dynamically to an OpenSSL library which has no tlsext support, |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
407 therefore SNI is not available |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
408 </programlisting> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
409 </para> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
410 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
411 </section> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
412 |
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
413 </section> |
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
414 |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
415 |
121
49443032011c
Unified <section> syntax for "article" and "module" documents.
Ruslan Ermilov <ru@nginx.com>
parents:
98
diff
changeset
|
416 <section id="compatibility" name="Compatibility"> |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
417 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
418 <para> |
461 | 419 <list type="bullet"> |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
420 |
461 | 421 <listitem> |
660
ba45bd0fc71e
configuring_https_servers: markup changes (mostly).
Ruslan Ermilov <ru@nginx.com>
parents:
659
diff
changeset
|
422 The SNI support status has been shown by the “-V” switch |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
423 since 0.8.21 and 0.7.62. |
461 | 424 </listitem> |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
425 |
461 | 426 <listitem> |
271 | 427 The <literal>ssl</literal> parameter of the |
428 <link doc="ngx_http_core_module.xml" id="listen"/> | |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
429 directive has been supported since 0.7.14. |
801
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
430 Prior to 0.8.21 it could only be specified along with the |
b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
Ruslan Ermilov <ru@nginx.com>
parents:
782
diff
changeset
|
431 <literal>default</literal> parameter. |
461 | 432 </listitem> |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
433 |
461 | 434 <listitem> |
1757
40e461a34187
Fixed a typo in nginx version number.
Valentin Bartenev <vbart@nginx.com>
parents:
1733
diff
changeset
|
435 SNI has been supported since 0.5.23. |
461 | 436 </listitem> |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
437 |
461 | 438 <listitem> |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
439 The shared SSL session cache has been supported since 0.5.6. |
461 | 440 </listitem> |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
441 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
442 </list> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
443 </para> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
444 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
445 <para> |
461 | 446 <list type="bullet"> |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
447 |
461 | 448 <listitem> |
1499
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
449 Version 1.9.1 and later: the default SSL protocols are TLSv1, |
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
450 TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library). |
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
451 </listitem> |
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
452 |
3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1411
diff
changeset
|
453 <listitem> |
314
95d5dc7c9884
Documented the new "TLSv1.1" and "TLSv1.2" parameters of the
Ruslan Ermilov <ru@nginx.com>
parents:
271
diff
changeset
|
454 Version 0.7.65, 0.8.19 and later: the default SSL protocols are SSLv3, TLSv1, |
95d5dc7c9884
Documented the new "TLSv1.1" and "TLSv1.2" parameters of the
Ruslan Ermilov <ru@nginx.com>
parents:
271
diff
changeset
|
455 TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library). |
461 | 456 </listitem> |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
457 |
461 | 458 <listitem> |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
459 Version 0.7.64, 0.8.18 and earlier: the default SSL protocols are SSLv2, |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
460 SSLv3, and TLSv1. |
461 | 461 </listitem> |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
462 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
463 </list> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
464 </para> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
465 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
466 <para> |
461 | 467 <list type="bullet"> |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
468 |
461 | 469 <listitem> |
43
662995d3e647
Update of SSL ciphers in latest nginx versions.
Igor Sysoev <igor@sysoev.ru>
parents:
42
diff
changeset
|
470 Version 1.0.5 and later: the default SSL ciphers are |
271 | 471 “<literal>HIGH:!aNULL:!MD5</literal>”. |
461 | 472 </listitem> |
43
662995d3e647
Update of SSL ciphers in latest nginx versions.
Igor Sysoev <igor@sysoev.ru>
parents:
42
diff
changeset
|
473 |
461 | 474 <listitem> |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
475 Version 0.7.65, 0.8.20 and later: the default SSL ciphers are |
271 | 476 “<literal>HIGH:!ADH:!MD5</literal>”. |
461 | 477 </listitem> |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
478 |
461 | 479 <listitem> |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
480 Version 0.8.19: the default SSL ciphers are |
271 | 481 “<literal>ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM</literal>”. |
461 | 482 </listitem> |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
483 |
461 | 484 <listitem> |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
485 Version 0.7.64, 0.8.18 and earlier: the default SSL ciphers are<br/> |
271 | 486 “<literal>ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</literal>”. |
461 | 487 </listitem> |
0
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
488 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
489 </list> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
490 </para> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
491 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
492 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
493 </section> |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
494 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
495 |
61e04fc01027
Initial import of the nginx.org website.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
496 </article> |