do not fail when ssl cert not present.
Maxim Dounin
mdounin at mdounin.ru
Thu Jun 18 17:24:56 UTC 2015
Hello!
On Thu, Jun 18, 2015 at 05:04:16PM +0200, Christ-Jan Wijtmans wrote:
> I tried to not fail the nginx server if ssl cert is not available.
> However the directive is not even allowed inside a statement.
>
> if (-f /var/www/x/etc/ssl.crt)
> {
> ssl_certificate /var/www/x/etc/ssl.crt;
> ssl_certificate_key /var/www/x/etc/ssl.key;
> }
This won't work, as nginx loads certificates and keys while
parsing configuration, but "if" is a directive of the rewrite
module and it is executed during request processing, see
http://nginx.org/r/if.
If you want nginx to only load existing certificates, you'll have
to teach it to do so by only using appropriate directives when
certificates and keys are actually available. The "include"
directive may help if you want to automate this, see
http://nginx.org/r/include.
> Also i do not believe its proper to fail the entire server if one
> server block fails.
Current approach is as follows: if there is a problem with a
configuration, nginx will refuse to use it. This way, if you'll
make an typo in your configuration and ask nginx to reload the
configuration, nginx will just refuse to load bad configuration
and will continue to work with old one. This makes sure that
nginx won't suddenly become half-working due to a typo which can
be easily detected.
This may be not very familiar if you used to just restart daemons
with a new configuration, but this is how nginx works. Basically,
you never restart it at all - you either reconfigure nginx, or
upgrade it to a new version by changing executable on the fly.
And it's working all the time. See some details on how to control
nginx at http://nginx.org/en/docs/control.html.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list