do not fail when ssl cert not present.
mdounin at mdounin.ru
Thu Jun 18 17:24:56 UTC 2015
On Thu, Jun 18, 2015 at 05:04:16PM +0200, Christ-Jan Wijtmans wrote:
> I tried to not fail the nginx server if ssl cert is not available.
> However the directive is not even allowed inside a statement.
> if (-f /var/www/x/etc/ssl.crt)
> ssl_certificate /var/www/x/etc/ssl.crt;
> ssl_certificate_key /var/www/x/etc/ssl.key;
This won't work, as nginx loads certificates and keys while
parsing configuration, but "if" is a directive of the rewrite
module and it is executed during request processing, see
If you want nginx to only load existing certificates, you'll have
to teach it to do so by only using appropriate directives when
certificates and keys are actually available. The "include"
directive may help if you want to automate this, see
> Also i do not believe its proper to fail the entire server if one
> server block fails.
Current approach is as follows: if there is a problem with a
configuration, nginx will refuse to use it. This way, if you'll
make an typo in your configuration and ask nginx to reload the
configuration, nginx will just refuse to load bad configuration
and will continue to work with old one. This makes sure that
nginx won't suddenly become half-working due to a typo which can
be easily detected.
This may be not very familiar if you used to just restart daemons
with a new configuration, but this is how nginx works. Basically,
you never restart it at all - you either reconfigure nginx, or
upgrade it to a new version by changing executable on the fly.
And it's working all the time. See some details on how to control
nginx at http://nginx.org/en/docs/control.html.
More information about the nginx