Ignore broken SSL servers in config
moseleymark at gmail.com
Thu Jun 20 16:46:35 UTC 2013
On Thu, Jun 20, 2013 at 2:00 AM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> On Wed, Jun 19, 2013 at 11:06:19AM -0700, Mark Moseley wrote:
> > TL;DR:
> > Any nginx setting to say 'if a vhost's ssl settings are broken, skip it
> > don't fail to start' ?
> > I've certainly RTFM'd this and peered at the source, but I figured I
> > as well throw it out there, in case there's some hidden setting I've
> > I'm building a reverse proxy config for thousands of SSL virtual hosts,
> > replace an apache solution.
> > It very often happens that someone in support will make a mistake with
> > regards to certs/keys. E.g. updating someone's SSL cert but actually
> > putting the CSR there instead.
> > In apache, since the config is being generated out of mod_perl, I can get
> > around this situation by having mod_perl do a modulus check on the cert
> > key and skip the vhost if they don't match. In my case, I'd far prefer to
> > have a missing vhost and have the other 1000 sites working, than all
> > And, yes, I realize in default apache, it'd just fail to load. And also,
> > yes, I realize asking something to ignore broken configs is a bit
> > non-standard :)
> > Since I don't have mod_perl at my fingertips in nginx to perform a
> > trick, the startup will just fail.
> > So I was curious if there's some obscure setting to tell nginx "if a
> > fails to loads its cert properly (or potentially any other vhost
> > skip it and continue loading the rest"?
> > If such a thing did exist, I imagine that the configtest would have to
> > errors for that vhost into warnings as well.
> > My guess is obviously 'no', but I figured asking woud only cost me the
> > it takes to compose an email.
> In nginx, there are two mechanism to deal with configuration
> 1) On configuration reload nginx refuses to load a new
> configuration if there are errors (and continues to work with
> previously loaded correct configuration).
> 2) There is "nginx -t" to test configs.
> By using the two you are safe from a situation when a typo
> in configuration takes a service down (well, mostly: one always
> can take it down with a valid config). There is no kludge to
> magically apply only parts of a configuration though.
Yup, that's what I figured. Thanks for confirming.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nginx