Mercurial > hg > nginx
annotate auto/os/conf @ 7732:59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
In some cases it might be needed to reject SSL handshake based on SNI
server name provided, for example, to make sure an invalid certificate
is not returned to clients trying to contact a name-based virtual server
without SSL configured. Previously, a "ssl_ciphers aNULL;" was used for
this. This workaround, however, is not compatible with TLSv1.3, in
particular, when using BoringSSL, where it is not possible to configure
TLSv1.3 ciphers at all.
With this change, the ssl_reject_handshake directive is introduced,
which instructs nginx to reject SSL handshakes with an "unrecognized_name"
alert in a particular server block.
For example, to reject handshake with names other than example.com,
one can use the following configuration:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate example.com.crt;
ssl_certificate_key example.com.key;
}
The following configuration can be used to reject all SSL handshakes
without SNI server name provided:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name ~^;
ssl_certificate example.crt;
ssl_certificate_key example.key;
}
Additionally, the ssl_reject_handshake directive makes configuring
certificates for the default server block optional. If no certificates
are configured in the default server for a given listening socket,
certificates must be defined in all non-default server blocks with
the listening socket in question.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 22 Oct 2020 18:02:28 +0300 |
parents | e4c21e417277 |
children | 35afae4b3dff |
rev | line source |
---|---|
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
355
diff
changeset
|
1 |
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
355
diff
changeset
|
2 # Copyright (C) Igor Sysoev |
4412 | 3 # Copyright (C) Nginx, Inc. |
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
355
diff
changeset
|
4 |
195
8dee38ea9117
nginx-0.0.1-2003-11-25-23:44:56 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
5 |
563 | 6 echo "checking for $NGX_SYSTEM specific features" |
195
8dee38ea9117
nginx-0.0.1-2003-11-25-23:44:56 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
7 |
493 | 8 case "$NGX_PLATFORM" in |
195
8dee38ea9117
nginx-0.0.1-2003-11-25-23:44:56 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
9 |
688
03fa118203d6
separate DragonFlyBSD autoconfiguration from FreeBSD
Igor Sysoev <igor@sysoev.ru>
parents:
593
diff
changeset
|
10 FreeBSD:*) |
195
8dee38ea9117
nginx-0.0.1-2003-11-25-23:44:56 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
11 . auto/os/freebsd |
8dee38ea9117
nginx-0.0.1-2003-11-25-23:44:56 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
12 ;; |
8dee38ea9117
nginx-0.0.1-2003-11-25-23:44:56 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
13 |
196
11fbd0fc041d
nginx-0.0.1-2003-11-26-18:42:18 import
Igor Sysoev <igor@sysoev.ru>
parents:
195
diff
changeset
|
14 Linux:*) |
11fbd0fc041d
nginx-0.0.1-2003-11-26-18:42:18 import
Igor Sysoev <igor@sysoev.ru>
parents:
195
diff
changeset
|
15 . auto/os/linux |
195
8dee38ea9117
nginx-0.0.1-2003-11-25-23:44:56 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
16 ;; |
8dee38ea9117
nginx-0.0.1-2003-11-25-23:44:56 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
17 |
196
11fbd0fc041d
nginx-0.0.1-2003-11-26-18:42:18 import
Igor Sysoev <igor@sysoev.ru>
parents:
195
diff
changeset
|
18 SunOS:*) |
11fbd0fc041d
nginx-0.0.1-2003-11-26-18:42:18 import
Igor Sysoev <igor@sysoev.ru>
parents:
195
diff
changeset
|
19 . auto/os/solaris |
195
8dee38ea9117
nginx-0.0.1-2003-11-25-23:44:56 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
20 ;; |
8dee38ea9117
nginx-0.0.1-2003-11-25-23:44:56 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
21 |
2128
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
940
diff
changeset
|
22 Darwin:*) |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
940
diff
changeset
|
23 . auto/os/darwin |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
940
diff
changeset
|
24 ;; |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
940
diff
changeset
|
25 |
2828
f5c80c69a72e
backout -r2827 and add correct fix
Igor Sysoev <igor@sysoev.ru>
parents:
2826
diff
changeset
|
26 win32) |
455 | 27 . auto/os/win32 |
195
8dee38ea9117
nginx-0.0.1-2003-11-25-23:44:56 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
28 ;; |
8dee38ea9117
nginx-0.0.1-2003-11-25-23:44:56 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
29 |
688
03fa118203d6
separate DragonFlyBSD autoconfiguration from FreeBSD
Igor Sysoev <igor@sysoev.ru>
parents:
593
diff
changeset
|
30 DragonFly:*) |
03fa118203d6
separate DragonFlyBSD autoconfiguration from FreeBSD
Igor Sysoev <igor@sysoev.ru>
parents:
593
diff
changeset
|
31 have=NGX_FREEBSD . auto/have_headers |
03fa118203d6
separate DragonFlyBSD autoconfiguration from FreeBSD
Igor Sysoev <igor@sysoev.ru>
parents:
593
diff
changeset
|
32 CORE_INCS="$UNIX_INCS" |
03fa118203d6
separate DragonFlyBSD autoconfiguration from FreeBSD
Igor Sysoev <igor@sysoev.ru>
parents:
593
diff
changeset
|
33 CORE_DEPS="$UNIX_DEPS $FREEBSD_DEPS" |
03fa118203d6
separate DragonFlyBSD autoconfiguration from FreeBSD
Igor Sysoev <igor@sysoev.ru>
parents:
593
diff
changeset
|
34 CORE_SRCS="$UNIX_SRCS $FREEBSD_SRCS" |
03fa118203d6
separate DragonFlyBSD autoconfiguration from FreeBSD
Igor Sysoev <igor@sysoev.ru>
parents:
593
diff
changeset
|
35 |
03fa118203d6
separate DragonFlyBSD autoconfiguration from FreeBSD
Igor Sysoev <igor@sysoev.ru>
parents:
593
diff
changeset
|
36 echo " + sendfile() found" |
03fa118203d6
separate DragonFlyBSD autoconfiguration from FreeBSD
Igor Sysoev <igor@sysoev.ru>
parents:
593
diff
changeset
|
37 have=NGX_HAVE_SENDFILE . auto/have |
03fa118203d6
separate DragonFlyBSD autoconfiguration from FreeBSD
Igor Sysoev <igor@sysoev.ru>
parents:
593
diff
changeset
|
38 CORE_SRCS="$CORE_SRCS $FREEBSD_SENDFILE_SRCS" |
03fa118203d6
separate DragonFlyBSD autoconfiguration from FreeBSD
Igor Sysoev <igor@sysoev.ru>
parents:
593
diff
changeset
|
39 |
03fa118203d6
separate DragonFlyBSD autoconfiguration from FreeBSD
Igor Sysoev <igor@sysoev.ru>
parents:
593
diff
changeset
|
40 ngx_spacer=' |
03fa118203d6
separate DragonFlyBSD autoconfiguration from FreeBSD
Igor Sysoev <igor@sysoev.ru>
parents:
593
diff
changeset
|
41 ' |
03fa118203d6
separate DragonFlyBSD autoconfiguration from FreeBSD
Igor Sysoev <igor@sysoev.ru>
parents:
593
diff
changeset
|
42 ;; |
03fa118203d6
separate DragonFlyBSD autoconfiguration from FreeBSD
Igor Sysoev <igor@sysoev.ru>
parents:
593
diff
changeset
|
43 |
7021
639e48c382a6
Configure: enabled rpath for NetBSD.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6156
diff
changeset
|
44 NetBSD:*) |
639e48c382a6
Configure: enabled rpath for NetBSD.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6156
diff
changeset
|
45 CORE_INCS="$UNIX_INCS" |
639e48c382a6
Configure: enabled rpath for NetBSD.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6156
diff
changeset
|
46 CORE_DEPS="$UNIX_DEPS $POSIX_DEPS" |
639e48c382a6
Configure: enabled rpath for NetBSD.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6156
diff
changeset
|
47 CORE_SRCS="$UNIX_SRCS" |
639e48c382a6
Configure: enabled rpath for NetBSD.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6156
diff
changeset
|
48 |
639e48c382a6
Configure: enabled rpath for NetBSD.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6156
diff
changeset
|
49 NGX_RPATH=YES |
639e48c382a6
Configure: enabled rpath for NetBSD.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6156
diff
changeset
|
50 ;; |
639e48c382a6
Configure: enabled rpath for NetBSD.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6156
diff
changeset
|
51 |
515 | 52 HP-UX:*) |
53 # HP/UX | |
54 have=NGX_HPUX . auto/have_headers | |
55 CORE_INCS="$UNIX_INCS" | |
56 CORE_DEPS="$UNIX_DEPS $POSIX_DEPS" | |
57 CORE_SRCS="$UNIX_SRCS" | |
58 CC_AUX_FLAGS="$CC_AUX_FLAGS -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1" | |
4692
489839d07b38
Fixed "sendmsg() failed" alerts on HP-UX.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4690
diff
changeset
|
59 CC_AUX_FLAGS="$CC_AUX_FLAGS -D_HPUX_ALT_XOPEN_SOCKET_API" |
515 | 60 ;; |
61 | |
62 OSF1:*) | |
517 | 63 # Tru64 UNIX |
515 | 64 have=NGX_TRU64 . auto/have_headers |
517 | 65 have=NGX_HAVE_STRERROR_R . auto/nohave |
515 | 66 CORE_INCS="$UNIX_INCS" |
67 CORE_DEPS="$UNIX_DEPS $POSIX_DEPS" | |
68 CORE_SRCS="$UNIX_SRCS" | |
69 ;; | |
70 | |
6156
a88e309f839b
Configure: GNU Hurd properly recognized.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4692
diff
changeset
|
71 GNU:*) |
a88e309f839b
Configure: GNU Hurd properly recognized.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4692
diff
changeset
|
72 # GNU Hurd |
a88e309f839b
Configure: GNU Hurd properly recognized.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4692
diff
changeset
|
73 have=NGX_GNU_HURD . auto/have_headers |
a88e309f839b
Configure: GNU Hurd properly recognized.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4692
diff
changeset
|
74 CORE_INCS="$UNIX_INCS" |
a88e309f839b
Configure: GNU Hurd properly recognized.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4692
diff
changeset
|
75 CORE_DEPS="$UNIX_DEPS $POSIX_DEPS" |
a88e309f839b
Configure: GNU Hurd properly recognized.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4692
diff
changeset
|
76 CORE_SRCS="$UNIX_SRCS" |
a88e309f839b
Configure: GNU Hurd properly recognized.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4692
diff
changeset
|
77 CC_AUX_FLAGS="$CC_AUX_FLAGS -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64" |
a88e309f839b
Configure: GNU Hurd properly recognized.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4692
diff
changeset
|
78 ;; |
a88e309f839b
Configure: GNU Hurd properly recognized.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4692
diff
changeset
|
79 |
355
0fb6c53fb135
nginx-0.0.7-2004-06-15-21:47:16 import
Igor Sysoev <igor@sysoev.ru>
parents:
320
diff
changeset
|
80 *) |
0fb6c53fb135
nginx-0.0.7-2004-06-15-21:47:16 import
Igor Sysoev <igor@sysoev.ru>
parents:
320
diff
changeset
|
81 CORE_INCS="$UNIX_INCS" |
0fb6c53fb135
nginx-0.0.7-2004-06-15-21:47:16 import
Igor Sysoev <igor@sysoev.ru>
parents:
320
diff
changeset
|
82 CORE_DEPS="$UNIX_DEPS $POSIX_DEPS" |
0fb6c53fb135
nginx-0.0.7-2004-06-15-21:47:16 import
Igor Sysoev <igor@sysoev.ru>
parents:
320
diff
changeset
|
83 CORE_SRCS="$UNIX_SRCS" |
0fb6c53fb135
nginx-0.0.7-2004-06-15-21:47:16 import
Igor Sysoev <igor@sysoev.ru>
parents:
320
diff
changeset
|
84 ;; |
0fb6c53fb135
nginx-0.0.7-2004-06-15-21:47:16 import
Igor Sysoev <igor@sysoev.ru>
parents:
320
diff
changeset
|
85 |
195
8dee38ea9117
nginx-0.0.1-2003-11-25-23:44:56 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
86 esac |
455 | 87 |
88 | |
493 | 89 case "$NGX_MACHINE" in |
479 | 90 |
589 | 91 i386 | i686 | i86pc) |
509 | 92 have=NGX_HAVE_NONALIGNED . auto/have |
589 | 93 NGX_MACH_CACHE_LINE=32 |
94 ;; | |
95 | |
593 | 96 amd64 | x86_64) |
589 | 97 have=NGX_HAVE_NONALIGNED . auto/have |
98 NGX_MACH_CACHE_LINE=64 | |
509 | 99 ;; |
479 | 100 |
745 | 101 sun4u | sun4v | sparc | sparc64) |
581 | 102 have=NGX_ALIGNMENT value=16 . auto/define |
589 | 103 # TODO |
104 NGX_MACH_CACHE_LINE=64 | |
105 ;; | |
106 | |
107 ia64 ) | |
108 have=NGX_ALIGNMENT value=16 . auto/define | |
109 # TODO | |
110 NGX_MACH_CACHE_LINE=64 | |
111 ;; | |
112 | |
7172
e4c21e417277
Configure: set default cacheline size to 64 for aarch64 platforms.
Debayan Ghosh <debayang.qdt@qualcommdatacenter.com>
parents:
7021
diff
changeset
|
113 aarch64 ) |
e4c21e417277
Configure: set default cacheline size to 64 for aarch64 platforms.
Debayan Ghosh <debayang.qdt@qualcommdatacenter.com>
parents:
7021
diff
changeset
|
114 have=NGX_ALIGNMENT value=16 . auto/define |
e4c21e417277
Configure: set default cacheline size to 64 for aarch64 platforms.
Debayan Ghosh <debayang.qdt@qualcommdatacenter.com>
parents:
7021
diff
changeset
|
115 NGX_MACH_CACHE_LINE=64 |
e4c21e417277
Configure: set default cacheline size to 64 for aarch64 platforms.
Debayan Ghosh <debayang.qdt@qualcommdatacenter.com>
parents:
7021
diff
changeset
|
116 ;; |
e4c21e417277
Configure: set default cacheline size to 64 for aarch64 platforms.
Debayan Ghosh <debayang.qdt@qualcommdatacenter.com>
parents:
7021
diff
changeset
|
117 |
589 | 118 *) |
4690
d91f3c78603e
Changed default alignment to 16.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
119 have=NGX_ALIGNMENT value=16 . auto/define |
589 | 120 NGX_MACH_CACHE_LINE=32 |
581 | 121 ;; |
122 | |
479 | 123 esac |
589 | 124 |
125 if test -z "$NGX_CPU_CACHE_LINE"; then | |
126 NGX_CPU_CACHE_LINE=$NGX_MACH_CACHE_LINE | |
127 fi | |
128 | |
129 have=NGX_CPU_CACHE_LINE value=$NGX_CPU_CACHE_LINE . auto/define |