Using http/https in a single server block ("ssl" parameter for "listen")
Igor Sysoev
is at rambler-co.ru
Fri Apr 3 17:20:17 MSD 2009
On Fri, Apr 03, 2009 at 12:47:51PM +0200, Daniel Hahler wrote:
> 2009/4/1 Igor Sysoev:
> > On Wed, Apr 01, 2009 at 08:23:18PM +0200, Daniel Hahler wrote:
> >> I'd like to enable both http and https within a single server block,
> >> without having to copy the whole block and only change "listen 80" to
> >> "listen 443" and add "ssl on".
> >>
> >> This appears to work somehow using the "ssl" parameter with "listen",
> >> but "nginx -t" complains that it can be used together with "default"
> >> only (""ssl" parameter can be specified for the default "listen"
> >> directive only").
> >> However, obviously I can use "default" only once.
> >>
> >> Would it be possible to allow usage of the "ssl" parameter without
> >> having to use "default"?
> >>
> >> The example for "ssl" at
> >> http://wiki.nginx.org/NginxHttpCoreModule#listen uses "default", but
> >> it's not mentioned in the documentation that this is a requirement.
> >>
> >> Example:
> >> server {
> >> server_name example.com;
> >> listen 80;
> >> listen 443 ssl;
> >>
> >> location / {
> >> proxy_pass http://server;
> >> }
> >> }
> >>
> >> I'm using nginx/0.7.47.
> >
> > I can not say right now if is it possible to allow "ssl" parameter
> > on non-default listen, but how do you plan to use two name-based
> > SSL servers on one IP-address:
> >
> > server {
> > server_name example.com;
> > listen 80;
> > listen 443 ssl;
> > }
> >
> > server {
> > server_name beispiel.de;
> > listen 80;
> > listen 443 ssl;
> > }
> >
> > ?
>
> Yes.
>
> I'm using a single ssl_certificate/ssl_certificate_key config in the
> http block, so it gets used for all servers.
> I have a single certificate, which works for multiple hostnames (see
> http://daniel.hahler.de/many_common_names_cn_in_one_ssl_certific - I'm
> not sure if it's currently this exact same setup/config, but it comes
> close).
>
> However, you could still allow to use ssl config options in server
> blocks to work when only "listen X ssl" is used, but not "ssl on"?!
> (But of course, you should know much better if this is
> feasible/possible)
Actually, currently it's enough to set "ssl" on default listen only and
you will get SSL in all server{}s listening on the port:
server {
listen 80;
listen 443 default ssl;
server_name example.com;
}
server {
listen 80;
listen 443; # it is SSL-enabled too
server_name beispiel.de;
}
SSL is property of listen socket, although it's not kernel related feature
such as rcvbuf/backlog/etc.: if SSL-handshake has been started you simply
can not return to plain text.
--
Igor Sysoev
http://sysoev.ru/en/
More information about the nginx
mailing list