Multiple server definitions with SSL
mdounin at mdounin.ru
Thu Jul 28 09:36:14 UTC 2011
On Thu, Jul 28, 2011 at 10:55:11AM +0400, Igor Sysoev wrote:
> On Tue, Jul 26, 2011 at 10:12:43PM +0400, Maxim Dounin wrote:
> > Hello!
> > On Tue, Jul 26, 2011 at 05:44:32PM +0100, Ben Lancaster wrote:
> > > We recently had a problem where we created a new server
> > > configuration (for http with and without ssl on ports 443 and 80
> > > respectively) on a shared web server which also included a
> > > number of other nginx servers similarly configured.
> > >
> > > Unfortunately, we neglected to include the ssl_certificate and
> > > ssl_certificate_key directives for the new server. So, the
> > > configurations looked something like this:
> > [...]
> > > Is this expected behaviour? Should nginx -t not have flagged
> > > that there was no default ssl_certificate(_key) directives
> > > defined?
> > Probably yes, but this isn't currently done when you define
> > ssl servers with
> > listen ... ssl;
> > Using "ssl on;" in separate server definition will give you
> > expected config test error.
> I'm going to decprecate "ssl on" directive in favour of "listen ... ssl",
> since SSL is rather a port option, but not server one.
> The initial "ssl on" was inspired by Apache 1.3.
> Apache's "Listen ... https" appeared in somewhere in 2005.
Ok, so should we add config parsing time ssl_certificate checks to
it then? Or, alternatively, drop this checks altogether assuming
there are aNULL ciphers to be used or other SNI-based servers
with certificates defined?
Both should resolve the problem as specified in original message.
I personally think the latter looks more promising.
More information about the nginx