Mercurial > hg > nginx-site
comparison xml/en/docs/http/configuring_https_servers.xml @ 801:b95a6d779c89
Documented that "listen ... ssl" is preferred over "ssl on".
author | Ruslan Ermilov <ru@nginx.com> |
---|---|
date | Thu, 27 Dec 2012 17:16:39 +0000 |
parents | 2ceaef0e84a1 |
children | 4fecf0715bbf |
comparison
equal
deleted
inserted
replaced
800:015981070efd | 801:b95a6d779c89 |
---|---|
6 <!DOCTYPE article SYSTEM "../../../../dtd/article.dtd"> | 6 <!DOCTYPE article SYSTEM "../../../../dtd/article.dtd"> |
7 | 7 |
8 <article name="Configuring HTTPS servers" | 8 <article name="Configuring HTTPS servers" |
9 link="/en/docs/http/configuring_https_servers.html" | 9 link="/en/docs/http/configuring_https_servers.html" |
10 lang="en" | 10 lang="en" |
11 rev="4" | 11 rev="5" |
12 author="Igor Sysoev" | 12 author="Igor Sysoev" |
13 editor="Brian Mercer"> | 13 editor="Brian Mercer"> |
14 | 14 |
15 <section> | 15 <section> |
16 | 16 |
17 <para> | 17 <para> |
18 To configure an HTTPS server, the SSL protocol must be enabled | 18 To configure an HTTPS server, the <literal>ssl</literal> parameter |
19 in the server block, and the locations of the server certificate | 19 must be enabled on |
20 <link doc="ngx_http_core_module.xml" id="listen">listening sockets</link> | |
21 in the <link doc="ngx_http_core_module.xml" id="server"/> block, | |
22 and the locations of the server certificate | |
20 and private key files should be specified: | 23 and private key files should be specified: |
21 | 24 |
22 <programlisting> | 25 <programlisting> |
23 server { | 26 server { |
24 listen 443; | 27 listen 443 <b>ssl</b>; |
25 server_name www.example.com; | 28 server_name www.example.com; |
26 ssl <b>on</b>; | |
27 ssl_certificate <b>www.example.com.crt</b>; | 29 ssl_certificate <b>www.example.com.crt</b>; |
28 ssl_certificate_key <b>www.example.com.key</b>; | 30 ssl_certificate_key <b>www.example.com.key</b>; |
29 ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; | 31 ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; |
30 ssl_ciphers HIGH:!aNULL:!MD5; | 32 ssl_ciphers HIGH:!aNULL:!MD5; |
31 ... | 33 ... |
105 http { | 107 http { |
106 <b>ssl_session_cache shared:SSL:10m</b>; | 108 <b>ssl_session_cache shared:SSL:10m</b>; |
107 <b>ssl_session_timeout 10m</b>; | 109 <b>ssl_session_timeout 10m</b>; |
108 | 110 |
109 server { | 111 server { |
110 listen 443; | 112 listen 443 ssl; |
111 server_name www.example.com; | 113 server_name www.example.com; |
112 <b>keepalive_timeout 70</b>; | 114 <b>keepalive_timeout 70</b>; |
113 | 115 |
114 ssl on; | |
115 ssl_certificate www.example.com.crt; | 116 ssl_certificate www.example.com.crt; |
116 ssl_certificate_key www.example.com.key; | 117 ssl_certificate_key www.example.com.key; |
117 ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; | 118 ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; |
118 ssl_ciphers HIGH:!aNULL:!MD5; | 119 ssl_ciphers HIGH:!aNULL:!MD5; |
119 ... | 120 ... |
145 The resulting file should be used in the | 146 The resulting file should be used in the |
146 <link doc="ngx_http_ssl_module.xml" id="ssl_certificate"/> directive: | 147 <link doc="ngx_http_ssl_module.xml" id="ssl_certificate"/> directive: |
147 | 148 |
148 <programlisting> | 149 <programlisting> |
149 server { | 150 server { |
150 listen 443; | 151 listen 443 ssl; |
151 server_name www.example.com; | 152 server_name www.example.com; |
152 ssl on; | |
153 ssl_certificate www.example.com.chained.crt; | 153 ssl_certificate www.example.com.chained.crt; |
154 ssl_certificate_key www.example.com.key; | 154 ssl_certificate_key www.example.com.key; |
155 ... | 155 ... |
156 } | 156 } |
157 </programlisting> | 157 </programlisting> |
221 | 221 |
222 | 222 |
223 <section id="single_http_https_server" name="A single HTTP/HTTPS server"> | 223 <section id="single_http_https_server" name="A single HTTP/HTTPS server"> |
224 | 224 |
225 <para> | 225 <para> |
226 If HTTP and HTTPS servers are equal, | 226 It is possible to configure a single server that handles both HTTP |
227 a single server that handles both HTTP and HTTPS requests may be configured | 227 and HTTPS requests: |
228 by deleting the directive “<literal>ssl on</literal>” | |
229 and adding the <literal>ssl</literal> parameter for *:443 port: | |
230 | 228 |
231 <programlisting> | 229 <programlisting> |
232 server { | 230 server { |
233 listen 80; | 231 listen 80; |
234 listen 443 ssl; | 232 listen 443 ssl; |
238 ... | 236 ... |
239 } | 237 } |
240 </programlisting> | 238 </programlisting> |
241 | 239 |
242 <note> | 240 <note> |
243 Prior to 0.8.21, nginx only allows the <literal>ssl</literal> parameter | 241 Prior to 0.7.14 SSL could not be enabled selectively for |
244 to be set on listen sockets with the <literal>default</literal> parameter: | 242 individual listening sockets, as shown above. |
245 <programlisting> | 243 SSL could only be enabled for the entire server using the |
246 listen 443 default ssl; | 244 <link doc="ngx_http_ssl_module.xml" id="ssl"/> directive, |
247 </programlisting> | 245 making it impossible to set up a single HTTP/HTTPS server. |
246 The <literal>ssl</literal> parameter of the | |
247 <link doc="ngx_http_core_module.xml" id="listen"/> directive | |
248 was added to solve this issue. | |
249 The use of the | |
250 <link doc="ngx_http_ssl_module.xml" id="ssl"/> directive | |
251 in modern versions is thus discouraged. | |
248 </note> | 252 </note> |
249 </para> | 253 </para> |
250 | 254 |
251 </section> | 255 </section> |
252 | 256 |
257 A common issue arises when configuring two or more HTTPS servers | 261 A common issue arises when configuring two or more HTTPS servers |
258 listening on a single IP address: | 262 listening on a single IP address: |
259 | 263 |
260 <programlisting> | 264 <programlisting> |
261 server { | 265 server { |
262 listen 443; | 266 listen 443 ssl; |
263 server_name www.example.com; | 267 server_name www.example.com; |
264 ssl on; | |
265 ssl_certificate www.example.com.crt; | 268 ssl_certificate www.example.com.crt; |
266 ... | 269 ... |
267 } | 270 } |
268 | 271 |
269 server { | 272 server { |
270 listen 443; | 273 listen 443 ssl; |
271 server_name www.example.org; | 274 server_name www.example.org; |
272 ssl on; | |
273 ssl_certificate www.example.org.crt; | 275 ssl_certificate www.example.org.crt; |
274 ... | 276 ... |
275 } | 277 } |
276 </programlisting> | 278 </programlisting> |
277 | 279 |
287 The oldest and most robust method to resolve the issue | 289 The oldest and most robust method to resolve the issue |
288 is to assign a separate IP address for every HTTPS server: | 290 is to assign a separate IP address for every HTTPS server: |
289 | 291 |
290 <programlisting> | 292 <programlisting> |
291 server { | 293 server { |
292 listen 192.168.1.1:443; | 294 listen 192.168.1.1:443 ssl; |
293 server_name www.example.com; | 295 server_name www.example.com; |
294 ssl on; | |
295 ssl_certificate www.example.com.crt; | 296 ssl_certificate www.example.com.crt; |
296 ... | 297 ... |
297 } | 298 } |
298 | 299 |
299 server { | 300 server { |
300 listen 192.168.1.2:443; | 301 listen 192.168.1.2:443 ssl; |
301 server_name www.example.org; | 302 server_name www.example.org; |
302 ssl on; | |
303 ssl_certificate www.example.org.crt; | 303 ssl_certificate www.example.org.crt; |
304 ... | 304 ... |
305 } | 305 } |
306 </programlisting> | 306 </programlisting> |
307 </para> | 307 </para> |
308 | |
309 </section> | |
310 | 308 |
311 | 309 |
312 <section id="certificate_with_several_names" | 310 <section id="certificate_with_several_names" |
313 name="An SSL certificate with several names"> | 311 name="An SSL certificate with several names"> |
314 | 312 |
343 <programlisting> | 341 <programlisting> |
344 ssl_certificate common.crt; | 342 ssl_certificate common.crt; |
345 ssl_certificate_key common.key; | 343 ssl_certificate_key common.key; |
346 | 344 |
347 server { | 345 server { |
348 listen 443; | 346 listen 443 ssl; |
349 server_name www.example.com; | 347 server_name www.example.com; |
350 ssl on; | 348 ... |
351 ... | 349 } |
352 } | 350 |
353 | 351 server { |
354 server { | 352 listen 443 ssl; |
355 listen 443; | |
356 server_name www.example.org; | 353 server_name www.example.org; |
357 ssl on; | |
358 ... | 354 ... |
359 } | 355 } |
360 </programlisting> | 356 </programlisting> |
361 </para> | 357 </para> |
362 | 358 |
436 </programlisting> | 432 </programlisting> |
437 </para> | 433 </para> |
438 | 434 |
439 </section> | 435 </section> |
440 | 436 |
437 </section> | |
438 | |
441 | 439 |
442 <section id="compatibility" name="Compatibility"> | 440 <section id="compatibility" name="Compatibility"> |
443 | 441 |
444 <para> | 442 <para> |
445 <list type="bullet"> | 443 <list type="bullet"> |
451 | 449 |
452 <listitem> | 450 <listitem> |
453 The <literal>ssl</literal> parameter of the | 451 The <literal>ssl</literal> parameter of the |
454 <link doc="ngx_http_core_module.xml" id="listen"/> | 452 <link doc="ngx_http_core_module.xml" id="listen"/> |
455 directive has been supported since 0.7.14. | 453 directive has been supported since 0.7.14. |
454 Prior to 0.8.21 it could only be specified along with the | |
455 <literal>default</literal> parameter. | |
456 </listitem> | 456 </listitem> |
457 | 457 |
458 <listitem> | 458 <listitem> |
459 SNI has been supported since 0.5.32. | 459 SNI has been supported since 0.5.32. |
460 </listitem> | 460 </listitem> |