do not fail when ssl cert not present.

Maxim Dounin mdounin at mdounin.ru
Thu Jun 18 17:24:56 UTC 2015


Hello!

On Thu, Jun 18, 2015 at 05:04:16PM +0200, Christ-Jan Wijtmans wrote:

> I tried to not fail the nginx server if ssl cert is not available.
> However the directive is not even allowed inside a statement.
> 
>         if (-f /var/www/x/etc/ssl.crt)
>         {
>                ssl_certificate /var/www/x/etc/ssl.crt;
>                ssl_certificate_key /var/www/x/etc/ssl.key;
>         }

This won't work, as nginx loads certificates and keys while 
parsing configuration, but "if" is a directive of the rewrite 
module and it is executed during request processing, see 
http://nginx.org/r/if.

If you want nginx to only load existing certificates, you'll have 
to teach it to do so by only using appropriate directives when 
certificates and keys are actually available.  The "include" 
directive may help if you want to automate this, see 
http://nginx.org/r/include. 

> Also i do not believe its proper to fail the entire server if one
> server block fails.

Current approach is as follows: if there is a problem with a 
configuration, nginx will refuse to use it.  This way, if you'll 
make an typo in your configuration and ask nginx to reload the 
configuration, nginx will just refuse to load bad configuration 
and will continue to work with old one.  This makes sure that 
nginx won't suddenly become half-working due to a typo which can 
be easily detected.

This may be not very familiar if you used to just restart daemons 
with a new configuration, but this is how nginx works.  Basically, 
you never restart it at all - you either reconfigure nginx, or 
upgrade it to a new version by changing executable on the fly.  
And it's working all the time.  See some details on how to control 
nginx at http://nginx.org/en/docs/control.html.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx mailing list