Mercurial > hg > nginx-site
annotate xml/ru/docs/http/configuring_https_servers.xml @ 617:368a449e85b8
Expanded documentation of what various parameters of the "listen"
directive related to socket options do. While here, documented
the fact that accept filters also work on NetBSD.
| author | Ruslan Ermilov <ru@nginx.com> |
|---|---|
| date | Thu, 02 Aug 2012 13:24:07 +0000 |
| parents | 130fad6dc1b4 |
| children | bd81a71006fe |
| rev | line source |
|---|---|
|
580
be54c443235a
Added copyright markers to documentation sources.
Ruslan Ermilov <ru@nginx.com>
parents:
547
diff
changeset
|
1 <!-- |
|
be54c443235a
Added copyright markers to documentation sources.
Ruslan Ermilov <ru@nginx.com>
parents:
547
diff
changeset
|
2 Copyright (C) Igor Sysoev |
|
be54c443235a
Added copyright markers to documentation sources.
Ruslan Ermilov <ru@nginx.com>
parents:
547
diff
changeset
|
3 Copyright (C) Nginx, Inc. |
|
be54c443235a
Added copyright markers to documentation sources.
Ruslan Ermilov <ru@nginx.com>
parents:
547
diff
changeset
|
4 --> |
|
be54c443235a
Added copyright markers to documentation sources.
Ruslan Ermilov <ru@nginx.com>
parents:
547
diff
changeset
|
5 |
|
547
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
6 <!DOCTYPE article SYSTEM "../../../../dtd/article.dtd"> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
7 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
8 <article name="Настройка HTTPS-серверов" |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
9 link="/ru/docs/http/configuring_https_servers.html" |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
10 lang="ru" |
| 589 | 11 rev="1" |
|
547
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
12 author="Игорь Сысоев" |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
13 editor="Brian Mercer"> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
14 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
15 <section> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
16 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
17 <para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
18 Чтобы настроить HTTPS-сервер, необходимо включить протокол SSL |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
19 в блоке server, а также указать местоположение файлов с |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
20 сертификатом сервера и секретным ключом: |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
21 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
22 <programlisting> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
23 server { |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
24 listen 443; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
25 server_name www.example.com; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
26 ssl on; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
27 ssl_certificate www.example.com.crt; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
28 ssl_certificate_key www.example.com.key; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
29 ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
30 ssl_ciphers HIGH:!aNULL:!MD5; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
31 ... |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
32 } |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
33 </programlisting> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
34 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
35 Сертификат сервера является публичным. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
36 Он посылается каждому клиенту, соединяющемуся с сервером. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
37 Секретный ключ следует хранить в файле с ограниченным доступом |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
38 (права доступа должны позволять основному процессу nginx читать этот файл). |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
39 Секретный ключ можно также хранить в одном файле с сертификатом: |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
40 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
41 <programlisting> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
42 ssl_certificate www.example.com.cert; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
43 ssl_certificate_key www.example.com.cert; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
44 </programlisting> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
45 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
46 при этом права доступа к файлу следует также ограничить. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
47 Несмотря на то, что и сертификат, и ключ хранятся в одном файле, |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
48 клиенту посылается только сертификат. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
49 </para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
50 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
51 <para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
52 С помощью директив <link doc="ngx_http_ssl_module.xml" id="ssl_protocols"/> и |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
53 <link doc="ngx_http_ssl_module.xml" id="ssl_ciphers"/> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
54 можно ограничить соединения |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
55 использованием только “сильных” версий и шифров SSL/TLS. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
56 Начиная с версии 1.0.5 nginx по умолчанию использует |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
57 “<literal>ssl_protocols SSLv3 TLSv1</literal>” и |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
58 “<literal>ssl_ciphers HIGH:!aNULL:!MD5</literal>”, |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
59 поэтому явная их настройка имеет смысл только для более ранних версий nginx. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
60 Начиная с версий 1.1.13 и 1.0.12 nginx по умолчанию использует |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
61 “<literal>ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2</literal>”. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
62 </para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
63 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
64 <para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
65 Известно, что шифры с CBC-режимом уязвимы к ряду атак, в частности |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
66 к BEAST-атаке (см. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
67 <link url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389">CVE-2011-3389</link>). |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
68 Настройка шифров может быть изменена так, чтобы предпочитался RC4-SHA: |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
69 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
70 <programlisting> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
71 ssl_ciphers RC4:HIGH:!aNULL:!MD5; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
72 ssl_prefer_server_ciphers on; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
73 </programlisting> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
74 </para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
75 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
76 </section> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
77 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
78 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
79 <section id="optimization" name="Оптимизация HTTPS-сервера"> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
80 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
81 <para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
82 SSL-операции потребляют дополнительные ресурсы процессора. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
83 На мультипроцессорных системах следует запускать несколько рабочих процессов, |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
84 не меньше числа доступных процессорных ядер. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
85 Наиболее ресурсоёмкой для процессора является операция SSL handshake, в рамках |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
86 которой формируются криптографические параметры сессии. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
87 Существует два способа уменьшения числа этих операций, производимых для каждого |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
88 клиента: включение постоянных (keepalive) соединений, позволяющих в рамках |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
89 одного соединения обрабатывать сразу несколько запросов, и повторное |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
90 использование параметров SSL-сессии для предотвращения необходимости выполнения |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
91 SSL handshake для параллельных и последующих соединений. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
92 Сессии хранятся в кэше SSL-сессий, разделяемом между рабочими процессами и |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
93 настраиваемом директивой |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
94 <link doc="ngx_http_ssl_module.xml" id="ssl_session_cache"/>. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
95 В 1 мегабайт кэша помещается около 4000 сессий. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
96 Таймаут кэша по умолчанию равен 5 минутам. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
97 Он может быть увеличен с помощью директивы |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
98 <link doc="ngx_http_ssl_module.xml" id="ssl_session_timeout"/>. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
99 Вот пример конфигурации, оптимизированной под 4-ядерную систему |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
100 с 10M разделяемого кэша сессий: |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
101 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
102 <programlisting> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
103 <b>worker_processes 4</b>; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
104 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
105 http { |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
106 <b>ssl_session_cache shared:SSL:10m</b>; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
107 <b>ssl_session_timeout 10m</b>; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
108 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
109 server { |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
110 listen 443; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
111 server_name www.example.com; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
112 <b>keepalive_timeout 70</b>; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
113 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
114 ssl on; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
115 ssl_certificate www.example.com.crt; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
116 ssl_certificate_key www.example.com.key; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
117 ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
118 ssl_ciphers HIGH:!aNULL:!MD5; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
119 ... |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
120 </programlisting> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
121 </para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
122 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
123 </section> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
124 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
125 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
126 <section id="chains" name="Цепочки SSL-сертификатов"> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
127 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
128 <para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
129 Некоторые браузеры могут выдавать предупреждение о сертификате, подписанном |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
130 общеизвестным центром сертификации, в то время как другие браузеры без |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
131 проблем принимают этот же сертификат. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
132 Так происходит потому, что центр, выдавший сертификат, подписал его |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
133 промежуточным сертификатом, которого нет в базе данных сертификатов |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
134 общеизвестных доверенных центров сертификации, распространяемой |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
135 вместе с браузером. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
136 В подобном случае центр сертификации предоставляет “связку” сертификатов, |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
137 которую следует присоединить к сертификату сервера. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
138 Сертификат сервера следует разместить перед связкой сертификатов |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
139 в скомбинированном файле: |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
140 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
141 <programlisting> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
142 $ cat www.example.com.crt bundle.crt > www.example.com.chained.crt |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
143 </programlisting> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
144 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
145 Полученный файл следует указать в директиве |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
146 <link doc="ngx_http_ssl_module.xml" id="ssl_certificate"/>: |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
147 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
148 <programlisting> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
149 server { |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
150 listen 443; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
151 server_name www.example.com; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
152 ssl on; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
153 ssl_certificate www.example.com.chained.crt; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
154 ssl_certificate_key www.example.com.key; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
155 ... |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
156 } |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
157 </programlisting> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
158 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
159 Если сертификат сервера и связка сертификатов были соединены в неправильном |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
160 порядке, nginx откажется запускаться и выдаст сообщение об ошибке: |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
161 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
162 <programlisting> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
163 SSL_CTX_use_PrivateKey_file(" ... /www.example.com.key") failed |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
164 (SSL: error:0B080074:x509 certificate routines: |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
165 X509_check_private_key:key values mismatch) |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
166 </programlisting> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
167 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
168 поскольку nginx попытается использовать секретный ключ с первым |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
169 сертификатом из связки вместо сертификата сервера. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
170 </para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
171 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
172 <para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
173 Браузеры обычно сохраняют полученные промежуточные сертификаты, подписанные |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
174 доверенными центрами сертификации, поэтому активно используемые браузеры |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
175 уже могут иметь требуемые промежуточные сертификаты и не выдать предупреждение |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
176 о сертификате, присланном без связанной с ним цепочки сертификатов. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
177 Убедиться в том, что сервер присылает полную цепочку сертификатов, |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
178 можно при помощи утилиты командной строки <command>openssl</command>, например: |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
179 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
180 <programlisting> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
181 $ openssl s_client -connect www.godaddy.com:443 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
182 ... |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
183 Certificate chain |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
184 0 s:/C=US/ST=Arizona/L=Scottsdale/1.3.6.1.4.1.311.60.2.1.3=US |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
185 /1.3.6.1.4.1.311.60.2.1.2=AZ/O=GoDaddy.com, Inc |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
186 /OU=MIS Department/<b>CN=www.GoDaddy.com</b> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
187 /serialNumber=0796928-7/2.5.4.15=V1.0, Clause 5.(b) |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
188 i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
189 /OU=http://certificates.godaddy.com/repository |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
190 /CN=Go Daddy Secure Certification Authority |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
191 /serialNumber=07969287 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
192 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
193 /OU=http://certificates.godaddy.com/repository |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
194 /CN=Go Daddy Secure Certification Authority |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
195 /serialNumber=07969287 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
196 i:/C=US/O=The Go Daddy Group, Inc. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
197 /OU=Go Daddy Class 2 Certification Authority |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
198 2 s:/C=US/O=The Go Daddy Group, Inc. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
199 /OU=Go Daddy Class 2 Certification Authority |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
200 i:/L=ValiCert Validation Network/O=<b>ValiCert, Inc.</b> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
201 /OU=ValiCert Class 2 Policy Validation Authority |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
202 /CN=http://www.valicert.com//emailAddress=info@valicert.com |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
203 ... |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
204 </programlisting> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
205 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
206 В этом примере субъект (“<i>s</i>”) сертификата №0 сервера |
|
593
130fad6dc1b4
Replaced the uses of "url" element with "literal".
Ruslan Ermilov <ru@nginx.com>
parents:
589
diff
changeset
|
207 <literal>www.GoDaddy.com</literal> подписан издателем (“<i>i</i>”), |
|
547
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
208 который в свою очередь является субъектом сертификата №1, подписанного |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
209 издателем, который в свою очередь является субъектом сертификата №2, |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
210 подписанного общеизвестным издателем <i>ValiCert, Inc.</i>, |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
211 чей сертификат хранится во встроенной в браузеры базе данных |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
212 сертификатов (которая в тёмном чулане хранится в доме, который построил Джек). |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
213 </para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
214 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
215 <para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
216 Если связку сертификатов не добавили, будет показан только сертификат |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
217 сервера №0. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
218 </para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
219 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
220 </section> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
221 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
222 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
223 <section id="single_http_https_server" name="Единый HTTP/HTTPS сервер"> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
224 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
225 <para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
226 На практике рекомендуется с самого начала настраивать отдельные серверы |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
227 для протоколов HTTP и HTTPS. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
228 И хотя сегодня их функциональность может казаться идентичной, в будущем |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
229 это может измениться и использование консолидированного сервера может |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
230 стать проблематичным. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
231 Однако, если серверы HTTP и HTTPS идентичны, и думать о будущем не |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
232 хочется, можно настроить единый сервер, который обслуживает |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
233 как HTTP-, так и HTTPS-запросы. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
234 Для этого следует исключить директиву “<literal>ssl on</literal>” |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
235 и добавить параметр <literal>ssl</literal> к порту *:443: |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
236 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
237 <programlisting> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
238 server { |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
239 listen 80; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
240 listen 443 ssl; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
241 server_name www.example.com; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
242 ssl_certificate www.example.com.crt; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
243 ssl_certificate_key www.example.com.key; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
244 ... |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
245 } |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
246 </programlisting> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
247 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
248 <note> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
249 До версии 0.8.21 nginx допускал указание параметра <literal>ssl</literal> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
250 на слушающем сокете только совместно с параметром <literal>default</literal>: |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
251 <programlisting> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
252 listen 443 default ssl; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
253 </programlisting> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
254 </note> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
255 </para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
256 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
257 </section> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
258 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
259 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
260 <section id="name_based_https_servers" name="Выбор HTTPS-сервера по имени"> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
261 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
262 <para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
263 Типичная проблема возникает при настройке двух и более серверов HTTPS, |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
264 слушающих на одном и том же IP-адресе: |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
265 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
266 <programlisting> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
267 server { |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
268 listen 443; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
269 server_name www.example.com; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
270 ssl on; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
271 ssl_certificate www.example.com.crt; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
272 ... |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
273 } |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
274 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
275 server { |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
276 listen 443; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
277 server_name www.example.org; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
278 ssl on; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
279 ssl_certificate www.example.org.crt; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
280 ... |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
281 } |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
282 </programlisting> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
283 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
284 В такой конфигурации браузер получит сертификат первого сервера, т.е. |
|
593
130fad6dc1b4
Replaced the uses of "url" element with "literal".
Ruslan Ermilov <ru@nginx.com>
parents:
589
diff
changeset
|
285 <literal>www.example.com</literal>, независимо от запрашиваемого имени сервера. |
|
547
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
286 Это связано с поведением протокола SSL. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
287 SSL-соединение устанавливается до того, как браузер посылает HTTP-запрос, |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
288 и nginx не знает имени запрашиваемого сервера. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
289 Следовательно, он лишь может предложить сертификат сервера по умолчанию. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
290 </para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
291 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
292 <para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
293 Наиболее старым и надёжным способом решения этой проблемы |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
294 является назначение каждому HTTPS-серверу своего IP-адреса: |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
295 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
296 <programlisting> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
297 server { |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
298 listen 192.168.1.1:443; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
299 server_name www.example.com; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
300 ssl on; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
301 ssl_certificate www.example.com.crt; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
302 ... |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
303 } |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
304 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
305 server { |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
306 listen 192.168.1.2:443; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
307 server_name www.example.org; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
308 ssl on; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
309 ssl_certificate www.example.org.crt; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
310 ... |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
311 } |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
312 </programlisting> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
313 </para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
314 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
315 </section> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
316 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
317 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
318 <section id="certificate_with_several_names" |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
319 name="SSL-сертификат с несколькими именами"> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
320 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
321 <para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
322 Существуют и другие способы, которые позволяют использовать один и тот же |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
323 IP-адрес сразу для нескольких HTTPS-серверов. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
324 Все они, однако, имеют свои недостатки. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
325 Одним из таких способов является использование сертификата с несколькими |
|
593
130fad6dc1b4
Replaced the uses of "url" element with "literal".
Ruslan Ermilov <ru@nginx.com>
parents:
589
diff
changeset
|
326 именами в поле SubjectAltName сертификата, например <literal>www.example.com</literal> |
|
130fad6dc1b4
Replaced the uses of "url" element with "literal".
Ruslan Ermilov <ru@nginx.com>
parents:
589
diff
changeset
|
327 и <literal>www.example.org</literal>. |
|
547
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
328 Однако, длина поля SubjectAltName ограничена. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
329 </para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
330 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
331 <para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
332 Другим способом является использование wildcard-сертификата, например |
|
593
130fad6dc1b4
Replaced the uses of "url" element with "literal".
Ruslan Ermilov <ru@nginx.com>
parents:
589
diff
changeset
|
333 <literal>*.example.org</literal>. |
|
547
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
334 Такой сертификат защищает все поддомены указанного домена, но только |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
335 на заданном уровне. |
|
593
130fad6dc1b4
Replaced the uses of "url" element with "literal".
Ruslan Ermilov <ru@nginx.com>
parents:
589
diff
changeset
|
336 Под такой сертификат подходит <literal>www.example.org</literal>, но не подходят |
|
130fad6dc1b4
Replaced the uses of "url" element with "literal".
Ruslan Ermilov <ru@nginx.com>
parents:
589
diff
changeset
|
337 <literal>example.org</literal> и <literal>www.sub.example.org</literal>. |
|
547
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
338 Два вышеуказанных способа можно комбинировать. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
339 Сертификат может одновременно содержать и точное, и wildcard имена в поле |
|
593
130fad6dc1b4
Replaced the uses of "url" element with "literal".
Ruslan Ermilov <ru@nginx.com>
parents:
589
diff
changeset
|
340 SubjectAltName, например <literal>example.org</literal> и <literal>*.example.org</literal>. |
|
547
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
341 </para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
342 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
343 <para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
344 Лучше поместить сведения о файле сертификата с несколькими именами и |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
345 файле с его секретным ключом на уровне конфигурации <i>http</i>, чтобы |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
346 все серверы унаследовали их единственную копию в памяти: |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
347 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
348 <programlisting> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
349 ssl_certificate common.crt; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
350 ssl_certificate_key common.key; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
351 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
352 server { |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
353 listen 443; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
354 server_name www.example.com; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
355 ssl on; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
356 ... |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
357 } |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
358 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
359 server { |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
360 listen 443; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
361 server_name www.example.org; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
362 ssl on; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
363 ... |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
364 } |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
365 </programlisting> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
366 </para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
367 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
368 </section> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
369 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
370 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
371 <section id="sni" name="Указание имени сервера"> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
372 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
373 <para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
374 Более общее решение для работы нескольких HTTPS-серверов на одном |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
375 IP-адресе — |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
376 <link url="http://en.wikipedia.org/wiki/Server_Name_Indication">расширение |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
377 TLSv1.1 Server Name Indication</link> (SNI, RFC3546), |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
378 которое позволяет браузеру передать запрашиваемое имя сервера во время |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
379 SSL handshake, а значит сервер будет знать, какой сертификат ему |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
380 следует использовать для соединения. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
381 Однако, поддержка SNI браузерами ограничена. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
382 Сейчас это поддерживается браузерами начиная со следующих версий: |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
383 </para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
384 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
385 <list type="bullet"> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
386 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
387 <listitem> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
388 Opera 8.0; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
389 </listitem> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
390 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
391 <listitem> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
392 MSIE 7.0 (но только на Windows Vista и выше); |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
393 </listitem> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
394 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
395 <listitem> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
396 Firefox 2.0 и другие браузеры, использующие Mozilla Platform rv:1.8.1; |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
397 </listitem> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
398 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
399 <listitem> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
400 Safari 3.2.1 (Windows-версия поддерживает SNI только на Vista и выше); |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
401 </listitem> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
402 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
403 <listitem> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
404 и Chrome (Windows-версия также поддерживает SNI только на Vista и выше). |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
405 </listitem> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
406 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
407 </list> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
408 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
409 <para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
410 Чтобы использовать SNI в nginx, соответствующая поддержка должна |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
411 присутствовать как в библиотеке OpenSSL, использованной при сборке |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
412 бинарного файла nginx, так и в библиотеке, подгружаемой в момент |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
413 работы. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
414 OpenSSL поддерживает SNI начиная с версии 0.9.8f, если она была |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
415 собрана с опцией конфигурации <nobr>“--enable-tlsext”.</nobr> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
416 Начиная с OpenSSL 0.9.8j эта опция включена по умолчанию. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
417 Если nginx был собран с поддержкой SNI, то при запуске nginx с ключом |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
418 “-V” об этом сообщается: |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
419 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
420 <programlisting> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
421 $ nginx -V |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
422 ... |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
423 TLS SNI support enabled |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
424 ... |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
425 </programlisting> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
426 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
427 Однако, если nginx, собранный с поддержкой SNI, в процессе работы подгружает |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
428 библиотеку OpenSSL, в которой нет поддержки SNI, nginx выдаёт предупреждение: |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
429 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
430 <programlisting> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
431 nginx was built with SNI support, however, now it is linked |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
432 dynamically to an OpenSSL library which has no tlsext support, |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
433 therefore SNI is not available |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
434 </programlisting> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
435 </para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
436 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
437 </section> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
438 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
439 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
440 <section id="compatibility" name="Совместимость"> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
441 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
442 <para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
443 <list type="bullet"> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
444 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
445 <listitem> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
446 Статус поддержки SNI отображается по ключу “-V” |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
447 начиная с версий 0.8.21 и 0.7.62. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
448 </listitem> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
449 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
450 <listitem> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
451 Параметр <literal>ssl</literal> директивы |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
452 <link doc="ngx_http_core_module.xml" id="listen"/> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
453 поддерживается начиная с версии 0.7.14. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
454 </listitem> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
455 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
456 <listitem> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
457 SNI поддерживается начиная с версии 0.5.32. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
458 </listitem> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
459 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
460 <listitem> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
461 Разделяемый кэш SSL-сессий поддерживается начиная с версии 0.5.6. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
462 </listitem> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
463 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
464 </list> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
465 </para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
466 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
467 <para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
468 <list type="bullet"> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
469 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
470 <listitem> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
471 Версия 0.7.65, 0.8.19 и более поздние: протоколами SSL по умолчанию являются |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
472 SSLv3, TLSv1, TLSv1.1 и TLSv1.2 (если поддерживается библиотекой OpenSSL). |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
473 </listitem> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
474 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
475 <listitem> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
476 Версия 0.7.64, 0.8.18 и более ранние: протоколами SSL по умолчанию являются |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
477 SSLv2, SSLv3 и TLSv1. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
478 </listitem> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
479 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
480 </list> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
481 </para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
482 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
483 <para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
484 <list type="bullet"> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
485 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
486 <listitem> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
487 Версия 1.0.5 и более поздние: шифрами SSL по умолчанию являются |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
488 “<literal>HIGH:!aNULL:!MD5</literal>”. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
489 </listitem> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
490 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
491 <listitem> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
492 Версия 0.7.65, 0.8.20 и более поздние: шифрами SSL по умолчанию являются |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
493 “<literal>HIGH:!ADH:!MD5</literal>”. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
494 </listitem> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
495 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
496 <listitem> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
497 Версия 0.8.19: шифрами SSL по умолчанию являются |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
498 “<literal>ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM</literal>”. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
499 </listitem> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
500 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
501 <listitem> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
502 Версия 0.7.64, 0.8.18 и более ранние: шифрами SSL по умолчанию являются<br/> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
503 “<literal>ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</literal>”. |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
504 </listitem> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
505 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
506 </list> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
507 </para> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
508 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
509 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
510 </section> |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
511 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
512 |
|
32dd85720515
Translated "configuring_https_servers" intro Russian.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
513 </article> |