Dynamic Cert/Key Lookup
Daniël Mostertman
daniel at mostertman.org
Thu Jun 23 11:40:07 UTC 2016
On 2016-06-23 09:39, Moritz Machner wrote:
> Hello,
>
> is it possible to dynamical get an cert/key from an database or an
> script for SNI?
>
> I want to dynamical add new domains with certs for an web app without
> changing the config oder restarting nginx:
>
> 1. get SNI request for domain example342343.com
> <http://example342343.com>
> 2. ask mysql for the cert and key for example342343.com
> <http://example342343.com>
> 3. start encryption
>
> Is that possible?
Yes, though you would need a bundle called OpenResty (openresty.org)
that comes with nginx, LUA and some patches to make it all work smoother.
You will lose some features that standard nginx comes with, like http2.
I'm working on my own project with it. Though I would recommend against
using MySQL, but consider either a file-based storage with a shared
dictionary inside nginx as cache, and/or use redis as backend.
There's a few articles on it, I was working on one myself as I'm going,
and it's in no way perfect (plus I made some changes already):
https://finalx.nl/display/NG/OpenResty
After which I stumbled upon https://github.com/GUI/lua-resty-auto-ssl
which basically does everything I want, and you perhaps as well .. it
even uses letsencrypt.sh to generate certificates and keys on-the-fly
when a request comes in.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20160623/60fbf874/attachment.html>
More information about the nginx
mailing list