Mercurial > hg > nginx-site
comparison xml/en/docs/http/configuring_https_servers.xml @ 659:77a3314c74a7
Avoid the uses of second person.
| author | Ruslan Ermilov <ru@nginx.com> |
|---|---|
| date | Tue, 28 Aug 2012 09:23:40 +0000 |
| parents | bd81a71006fe |
| children | ba45bd0fc71e |
comparison
equal
deleted
inserted
replaced
| 658:bd81a71006fe | 659:77a3314c74a7 |
|---|---|
| 13 editor="Brian Mercer"> | 13 editor="Brian Mercer"> |
| 14 | 14 |
| 15 <section> | 15 <section> |
| 16 | 16 |
| 17 <para> | 17 <para> |
| 18 To configure an HTTPS server you must enable the SSL protocol | 18 To configure an HTTPS server, the SSL protocol must be enabled |
| 19 in the server block, and specify the locations of the server certificate | 19 in the server block, and the locations of the server certificate |
| 20 and private key files: | 20 and private key files should be specified: |
| 21 | 21 |
| 22 <programlisting> | 22 <programlisting> |
| 23 server { | 23 server { |
| 24 listen 443; | 24 listen 443; |
| 25 server_name www.example.com; | 25 server_name www.example.com; |
| 77 | 77 |
| 78 <section id="optimization" name="HTTPS server optimization"> | 78 <section id="optimization" name="HTTPS server optimization"> |
| 79 | 79 |
| 80 <para> | 80 <para> |
| 81 SSL operations consume extra CPU resources. | 81 SSL operations consume extra CPU resources. |
| 82 On multi-processor systems you should run several worker processes: | 82 On multi-processor systems several worker processes should be run, |
| 83 no less than the number of available CPU cores. | 83 no less than the number of available CPU cores. |
| 84 The most CPU-intensive operation is the SSL handshake. | 84 The most CPU-intensive operation is the SSL handshake. |
| 85 There are two ways to minimize the number of these operations per client: | 85 There are two ways to minimize the number of these operations per client: |
| 86 the first is by enabling keepalive connections to send several | 86 the first is by enabling keepalive connections to send several |
| 87 requests via one connection and the second is to reuse SSL session | 87 requests via one connection and the second is to reuse SSL session |
| 173 Browsers usually store intermediate certificates which they receive | 173 Browsers usually store intermediate certificates which they receive |
| 174 and which are signed by trusted authorities, so actively used browsers | 174 and which are signed by trusted authorities, so actively used browsers |
| 175 may already have the required intermediate certificates and | 175 may already have the required intermediate certificates and |
| 176 may not complain about a certificate sent without a chained bundle. | 176 may not complain about a certificate sent without a chained bundle. |
| 177 To ensure the server sends the complete certificate chain, | 177 To ensure the server sends the complete certificate chain, |
| 178 you may use the <command>openssl</command> command-line utility, for example: | 178 the <command>openssl</command> command-line utility may be used, for example: |
| 179 | 179 |
| 180 <programlisting> | 180 <programlisting> |
| 181 $ openssl s_client -connect www.godaddy.com:443 | 181 $ openssl s_client -connect www.godaddy.com:443 |
| 182 ... | 182 ... |
| 183 Certificate chain | 183 Certificate chain |
| 211 whose certificate is stored in the browsers’ built-in | 211 whose certificate is stored in the browsers’ built-in |
| 212 certificate base (that lay in the house that Jack built). | 212 certificate base (that lay in the house that Jack built). |
| 213 </para> | 213 </para> |
| 214 | 214 |
| 215 <para> | 215 <para> |
| 216 If you have not added the certificates bundle, you will see only your server | 216 If a certificate bundle has not been added, only the server certificate #0 |
| 217 certificate #0. | 217 will be shown. |
| 218 </para> | 218 </para> |
| 219 | 219 |
| 220 </section> | 220 </section> |
| 221 | 221 |
| 222 | 222 |
| 223 <section id="single_http_https_server" name="A single HTTP/HTTPS server"> | 223 <section id="single_http_https_server" name="A single HTTP/HTTPS server"> |
| 224 | 224 |
| 225 <para> | 225 <para> |
| 226 It is good practice to configure separate servers for HTTP and HTTPS | 226 If HTTP and HTTPS servers are equal, |
| 227 protocols from the very start. Although their functionalities currently | 227 a single server that handles both HTTP and HTTPS requests may be configured |
| 228 seem equal, this may change significantly in the future | |
| 229 and using a consolidated server may become problematic. | |
| 230 However, if HTTP and HTTPS servers are equal, | |
| 231 and you prefer not to think about the future, | |
| 232 you may configure a single server that handles both HTTP and HTTPS requests | |
| 233 by deleting the directive “<literal>ssl on</literal>” | 228 by deleting the directive “<literal>ssl on</literal>” |
| 234 and adding the <literal>ssl</literal> parameter for *:443 port: | 229 and adding the <literal>ssl</literal> parameter for *:443 port: |
| 235 | 230 |
| 236 <programlisting> | 231 <programlisting> |
| 237 server { | 232 server { |