nginx SSL/SNI phase
Richard Kearsley
richard at kearsley.me
Mon Mar 17 06:23:00 UTC 2014
Hi
I came across this 'issue' on the lua module about having the ability to
control which SSL certificate is used based on a Lua module handler:
https://github.com/chaoslawful/lua-nginx-module/issues/331
I believe at the moment, this phase isn't exposed so there is no way to
hand it off to a module (Lua or any other module)
Could this phase be opened up?
The current method of handling SNI requires a separate server {} for
every site/certificate in nginx.conf, but also requires a restart or a
HUP to make it effective - something which quickly becomes a headache as
more and more sites/certficates are added.
How I see this working:
server {
listen 80;
listen 443 ssl;
ssl_by_lua '
-- get a list of your sites however you usually do it
local sites = require "sites"
local hostnames = sites.hostnames()
-- match the sni to one of the hostnames
if hostnames[ngx.var.sni] then
-- communicate the path of the cer/key back to nginx
ngx.var.ssl_cer = hostnames[ngx.var.sni].cer_path
ngx.var.ssl_key = hostnames[ngx.var.sni].key_path
else
ngx.var.ssl_cer = "/usr/local/nginx/conf/default.cer"
ngx.var.ssl_key = "/usr/local/nginx/conf/default.key"
end
';
location / {
# as normal
}
}
Many thanks!
Richard
More information about the nginx
mailing list