SNI support for nginx

Yichun Zhang (agentzh) agentzh at gmail.com
Thu Jul 7 05:55:01 UTC 2016


Hello!

On Tue, Jul 5, 2016 at 11:57 PM, Christian Rohmann wrote:
> On 07/04/2016 12:31 PM, Sushma wrote:
>> Or is there a way, nginx will be able to dynamically figure out the cert to
>> be presented without it being explicitly mentioned via the directive
>> ssl_certificate?
>
> After some research not statically by configuration. But using a bit of
> lua could offer a way to maybe make this happen. Something like:
> https://litespeed.io/dynamic-tls-certificates-with-openresty-and-ssl_certificate_by_lua/
>

Aye. CloudFlare, for example, has been using ssl_certificate_by_lua*
with the ngx.ssl Lua module to lazily load a *lot* of SSL certificates
and private keys from remote services (via nonblocking IO) only on
demand in its global SSL gateway network for long. With lazy loading
and local caching (via lua_shared_dict and/or lua-resty-lrucache), the
flexibility and performance can be both excellent. You can not only
look up your SSL credentials via SNI, but also via the server IP
address the client is accessing (for older SSL clients that do not
support TLS SNI).

The formal documentation for this feature is:

    https://github.com/openresty/lua-nginx-module/#ssl_certificate_by_lua_block

    https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl.md#readme

Even dynamic OCSP stapling is supported ;)

The easiest way to get everything setup is to use the OpenResty bundle BTW:

    http://openresty.org/en/

Have fun!

Best regards,
-agentzh



More information about the nginx mailing list