Repeated include /etc/includes/ssl.conf Passes configtest, fails SSL Handshake
Matt Silverlock
matt at eatsleeprepeat.net
Wed Jul 30 02:14:05 UTC 2014
Hi all,
Had a chat with a helpful person on IRC but both are stumped as to why my configuration passes a check (nginx -t) but fails to properly handle SSL.
– I’ve split a couple of repetitive blocks out into /etc/nginx/includes/ssl.conf (-rw-r--r-- root:root - same as nginx.conf - should not be a problem)
– Doing so results in SSL handshake issues (and the connection fails appropriately)
– My cert covers both the root domain and www
– An excerpt of my configuration is here: http://p.ngx.cc/8796278344c60dcb — but the relevant part is below:
# re-direct non-www https to https
server {
listen 443 ssl;
server_name example.com;
include /etc/nginx/includes/ssl.conf;
return 301 https://www.example.com$request_uri;
}
server {
listen 443 ssl default_server;
server_name www.example.com;
include /etc/nginx/includes/ssl.conf;
root /srv/www/www.example.com/public;
error_page 502 503 504 /5xx.html;
# rest of config (proxy pass to Go server)
# STS header in location block, etc.
}
If I move the include directive (effectively removing the duplication) into the http block and put the ssl_certificate and ssl_certificate_key directives into each of the two (2) server blocks instead of includes/ssl.conf, all is well. But this conflicts with the documentation (as I interpret it) and still results in some duplicated configuration.
Ideally I want to drop the entire “SSL config” for these two domains into a includes file that I can then just import into the server blocks. If that’s not entirely possible, that’s okay — but configs I’ve seen out in the wild (https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf) seem to do what I’m trying to achieve :)
Cheers,
Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20140730/8518aa9c/attachment.html>
More information about the nginx
mailing list