Single-Config-SSL-Hosting needs broader support for variables

Igor Sysoev igor at sysoev.ru
Sun Aug 22 12:08:55 MSD 2010


On Sun, Aug 22, 2010 at 04:03:32AM +0200, Sebastian J. Bronner wrote:

> Hi there,
> 
> I've spent considerable effort at hosting my websites with a minimal
> configuration overhead. To that end, I have configured nginx so that it
> uses the existence of a directory to determine whether a hosting exists
> or not. See the following minimalized configuration, to see what I mean:
> 
> """
> server {
>         listen  80 default;
>         root    /srv/www/$host;
>         if (!-d $document_root) { return 404; }
> }
> """
> 
> My real configuration file is somewhat more extensive. The extra
> sections have nothing to do with what I want to talk about here, though.
> 
> Now, the configuration above is really great. All I have to do is
> configure DNS and create the directory, and my new user is good to go.

This check

         if (!-d $document_root) { return 404; }

is useless here.

> I would like to do the same with SSL/SNI, as in the following example:
> 
> """
> server {
>         listen               443 default ssl;
>         ssl_certificate      /etc/ssl/certs/$host.cert;
>         ssl_certificate_key  /etc/ssl/private/$host.key;
>         root                 /srv/www/$host;
>         if (!-d $document_root) { return 404; }
> }
> """
> 
> However, before I can do this, two (2) things must first be changed in
> nginx:
> 
> 1 - The SSL certificate and key must be read on-demand instead of at
> daemon startup, as is currently the case.
> 
> 2 - The ssl_certificate* configuration directives need to support
> variables.
> 
> Opinions?
> 
> Is this something anyone else would also enjoy seeing?
> 
> How does Igor feel about having this kind of thing in the code?

I do not think that this will be usefull until the most browsers
will support SNI. For example, in Russian Internet a half of users
still uses Windows XP: http://www.liveinternet.ru/stat/en/oses.html
Although a third of users uses Firefox 3:
http://www.liveinternet.ru/stat/en/browsers.html
anyway there are too many users which use MSIE/WinXP which does not
support SNI.


-- 
Igor Sysoev
http://sysoev.ru/en/



More information about the nginx-devel mailing list