nginx SSL/SNI phase

Richard Kearsley richard at
Mon Mar 17 06:23:00 UTC 2014

I came across this 'issue' on the lua module about having the ability to 
control which SSL certificate is used based on a Lua module handler:
I believe at the moment, this phase isn't exposed so there is no way to 
hand it off to a module (Lua or any other module)

Could this phase be opened up?

The current method of handling SNI requires a separate server {} for 
every site/certificate in nginx.conf, but also requires a restart or a 
HUP to make it effective - something which quickly becomes a headache as 
more and more sites/certficates are added.

How I see this working:

server {
     listen 80;
     listen 443 ssl;

     ssl_by_lua '
         -- get a list of your sites however you usually do it
         local sites = require "sites"
         local hostnames = sites.hostnames()

         -- match the sni to one of the hostnames
         if hostnames[ngx.var.sni] then
             -- communicate the path of the cer/key back to nginx
             ngx.var.ssl_cer = hostnames[ngx.var.sni].cer_path
             ngx.var.ssl_key = hostnames[ngx.var.sni].key_path
             ngx.var.ssl_cer = "/usr/local/nginx/conf/default.cer"
             ngx.var.ssl_key = "/usr/local/nginx/conf/default.key"

     location / {
         # as normal

Many thanks!

More information about the nginx mailing list