Multiple server definitions with SSL

Maxim Dounin mdounin at mdounin.ru
Thu Jul 28 09:36:14 UTC 2011


Hello!

On Thu, Jul 28, 2011 at 10:55:11AM +0400, Igor Sysoev wrote:

> On Tue, Jul 26, 2011 at 10:12:43PM +0400, Maxim Dounin wrote:
> > Hello!
> > 
> > On Tue, Jul 26, 2011 at 05:44:32PM +0100, Ben Lancaster wrote:
> > 
> > > We recently had a problem where we created a new server 
> > > configuration (for http with and without ssl on ports 443 and 80 
> > > respectively) on a shared web server which also included a 
> > > number of other nginx servers similarly configured. 
> > > 
> > > Unfortunately, we neglected to include the ssl_certificate and 
> > > ssl_certificate_key directives for the new server. So, the 
> > > configurations looked something like this:
> > 
> > [...]
> > 
> > > Is this expected behaviour? Should nginx -t not have flagged 
> > > that there was no default ssl_certificate(_key) directives 
> > > defined?
> > 
> > Probably yes, but this isn't currently done when you define 
> > ssl servers with
> > 
> >     listen ... ssl;
> > 
> > Using "ssl on;" in separate server definition will give you 
> > expected config test error.
> 
> I'm going to decprecate "ssl on" directive in favour of "listen ... ssl",
> since SSL is rather a port option, but not server one.
> The initial "ssl on" was inspired by Apache 1.3.
> Apache's "Listen ... https" appeared in somewhere in 2005.

Ok, so should we add config parsing time ssl_certificate checks to 
it then?  Or, alternatively, drop this checks altogether assuming 
there are aNULL ciphers to be used or other SNI-based servers 
with certificates defined?

Both should resolve the problem as specified in original message.  
I personally think the latter looks more promising.

Maxim Dounin



More information about the nginx mailing list