Dynamic Cert/Key Lookup

Daniël Mostertman daniel at mostertman.org
Thu Jun 23 11:40:07 UTC 2016


On 2016-06-23 09:39, Moritz Machner wrote:
> Hello,
>
> is it possible to dynamical get an cert/key from an database or an 
> script for SNI?
>
> I want to dynamical add new domains with certs for an web app without 
> changing the config oder restarting nginx:
>
> 1. get SNI request for domain example342343.com 
> <http://example342343.com>
> 2. ask mysql for the cert and key for example342343.com 
> <http://example342343.com>
> 3. start encryption
>
> Is that possible?

Yes, though you would need a bundle called OpenResty (openresty.org) 
that comes with nginx, LUA and some patches to make it all work smoother.
You will lose some features that standard nginx comes with, like http2.

I'm working on my own project with it. Though I would recommend against 
using MySQL, but consider either a file-based storage with a shared 
dictionary inside nginx as cache, and/or use redis as backend.
There's a few articles on it, I was working on one myself as I'm going, 
and it's in no way perfect (plus I made some changes already):

https://finalx.nl/display/NG/OpenResty

After which I stumbled upon https://github.com/GUI/lua-resty-auto-ssl 
which basically does everything I want, and you perhaps as well .. it 
even uses letsencrypt.sh to generate certificates and keys on-the-fly 
when a request comes in.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20160623/60fbf874/attachment.html>


More information about the nginx mailing list