Ignore broken SSL servers in config

Maxim Dounin mdounin at mdounin.ru
Thu Jun 20 09:00:54 UTC 2013


On Wed, Jun 19, 2013 at 11:06:19AM -0700, Mark Moseley wrote:

> TL;DR:
> Any nginx setting to say 'if a vhost's ssl settings are broken, skip it and
> don't fail to start' ?
> I've certainly RTFM'd this and peered at the source, but I figured I might
> as well throw it out there, in case there's some hidden setting I've missed.
> I'm building a reverse proxy config for thousands of SSL virtual hosts, to
> replace an apache solution.
> It very often happens that someone in support will make a mistake with
> regards to certs/keys. E.g. updating someone's SSL cert but actually
> putting the CSR there instead.
> In apache, since the config is being generated out of mod_perl, I can get
> around this situation by having mod_perl do a modulus check on the cert and
> key and skip the vhost if they don't match. In my case, I'd far prefer to
> have a missing vhost and have the other 1000 sites working, than all down.
> And, yes, I realize in default apache, it'd just fail to load. And also,
> yes, I realize asking something to ignore broken configs is a bit
> non-standard :)
> Since I don't have mod_perl at my fingertips in nginx to perform a similar
> trick, the startup will just fail.
> So I was curious if there's some obscure setting to tell nginx "if a vhost
> fails to loads its cert properly (or potentially any other vhost setting),
> skip it and continue loading the rest"?
> If such a thing did exist, I imagine that the configtest would have to turn
> errors for that vhost into warnings as well.
> My guess is obviously 'no', but I figured asking woud only cost me the time
> it takes to compose an email.

In nginx, there are two mechanism to deal with configuration 

1) On configuration reload nginx refuses to load a new 
configuration if there are errors (and continues to work with 
previously loaded correct configuration).

2) There is "nginx -t" to test configs.

By using the two you are safe from a situation when a typo 
in configuration takes a service down (well, mostly: one always 
can take it down with a valid config).  There is no kludge to 
magically apply only parts of a configuration though.

Maxim Dounin

More information about the nginx mailing list