Using http/https in a single server block ("ssl" parameter for "listen")

Igor Sysoev is at rambler-co.ru
Fri Apr 3 17:20:17 MSD 2009


On Fri, Apr 03, 2009 at 12:47:51PM +0200, Daniel Hahler wrote:

> 2009/4/1 Igor Sysoev:
> > On Wed, Apr 01, 2009 at 08:23:18PM +0200, Daniel Hahler wrote:
> >> I'd like to enable both http and https within a single server block,
> >> without having to copy the whole block and only change "listen 80" to
> >> "listen 443" and add "ssl on".
> >>
> >> This appears to work somehow using the "ssl" parameter with "listen",
> >> but "nginx -t" complains that it can be used together with "default"
> >> only (""ssl" parameter can be specified for the default "listen"
> >> directive only").
> >> However, obviously I can use "default" only once.
> >>
> >> Would it be possible to allow usage of the "ssl" parameter without
> >> having to use "default"?
> >>
> >> The example for "ssl" at
> >> http://wiki.nginx.org/NginxHttpCoreModule#listen uses "default", but
> >> it's not mentioned in the documentation that this is a requirement.
> >>
> >> Example:
> >> server {
> >>     server_name example.com;
> >>     listen 80;
> >>     listen 443 ssl;
> >>
> >>     location / {
> >>         proxy_pass http://server;
> >>     }
> >> }
> >>
> >> I'm using nginx/0.7.47.
> >
> > I can not say right now if is it possible to allow "ssl" parameter
> > on non-default listen, but how do you plan to use two name-based
> > SSL servers on one IP-address:
> >
> >  server {
> >     server_name example.com;
> >     listen 80;
> >     listen 443 ssl;
> >  }
> >
> >  server {
> >     server_name beispiel.de;
> >     listen 80;
> >     listen 443 ssl;
> >  }
> >
> > ?
> 
> Yes.
> 
> I'm using a single ssl_certificate/ssl_certificate_key config in the
> http block, so it gets used for all servers.
> I have a single certificate, which works for multiple hostnames (see
> http://daniel.hahler.de/many_common_names_cn_in_one_ssl_certific - I'm
> not sure if it's currently this exact same setup/config, but it comes
> close).
> 
> However, you could still allow to use ssl config options in server
> blocks to work when only "listen X ssl" is used, but not "ssl on"?!
> (But of course, you should know much better if this is
> feasible/possible)

Actually, currently it's enough to set "ssl" on default listen only and
you will get SSL in all server{}s listening on the port:

     server {
         listen 80;
         listen 443 default ssl;
         server_name example.com;
     }

     server {
         listen 80;
         listen 443;  # it is SSL-enabled too
         server_name beispiel.de;
     }

SSL is property of listen socket, although it's not kernel related feature
such as rcvbuf/backlog/etc.: if SSL-handshake has been started you simply
can not return to plain text.


-- 
Igor Sysoev
http://sysoev.ru/en/





More information about the nginx mailing list