Do not fail when ssl cert not present

I tried to not fail the nginx server if ssl cert is not available.
However the directive is not even allowed inside a statement.

    if (-f /var/www/x/etc/ssl.crt)
    {
           ssl_certificate /var/www/x/etc/ssl.crt;
           ssl_certificate_key /var/www/x/etc/ssl.key;
    }

Also i do not believe its proper to fail the entire server if one
server block fails.

Hi,

I tried to not fail the nginx server if ssl cert is not available.

You do that by checking the config first (nginx -t), if successful,
then youreload. This is the proper way to do it.

Also i do not believe its proper to fail the entire server if one
server block fails.

It is.

Hello!

On Thu, Jun 18, 2015 at 05:04:16PM +0200, Christ-Jan Wijtmans wrote:

I tried to not fail the nginx server if ssl cert is not available.
However the directive is not even allowed inside a statement.

    if (-f /var/www/x/etc/ssl.crt)
    {
           ssl_certificate /var/www/x/etc/ssl.crt;
           ssl_certificate_key /var/www/x/etc/ssl.key;
    }

This won’t work, as nginx loads certificates and keys while
parsing configuration, but “if” is a directive of the rewrite
module and it is executed during request processing, see
http://nginx.org/r/if.

If you want nginx to only load existing certificates, you’ll have
to teach it to do so by only using appropriate directives when
certificates and keys are actually available. The “include”
directive may help if you want to automate this, see
http://nginx.org/r/include.

Also i do not believe its proper to fail the entire server if one
server block fails.

Current approach is as follows: if there is a problem with a
configuration, nginx will refuse to use it. This way, if you’ll
make an typo in your configuration and ask nginx to reload the
configuration, nginx will just refuse to load bad configuration
and will continue to work with old one. This makes sure that
nginx won’t suddenly become half-working due to a typo which can
be easily detected.

This may be not very familiar if you used to just restart daemons
with a new configuration, but this is how nginx works. Basically,
you never restart it at all - you either reconfigure nginx, or
upgrade it to a new version by changing executable on the fly.
And it’s working all the time. See some details on how to control
nginx at http://nginx.org/en/docs/control.html.


Maxim D.
http://nginx.org/

Hello!

On Thu, Jun 18, 2015 at 11:22:27PM +0200, Christ-Jan Wijtmans wrote:

If you want nginx to only load existing certificates, you’ll have
to teach it to do so by only using appropriate directives when
certificates and keys are actually available. The “include”
directive may help if you want to automate this, see
http://nginx.org/r/include.

I dont see how include here helps. Basically currently there is no
certificate. And i want to give the user control over the certificate
which is why i placed in ~/etc/. Which means when the user deletes it
the server wont restart.

You’ll have to write a script to automate checking if a user
placed a certificate or not, and update nginx config
appropriately. Generating a single include file is usually easier
than re-generating the whole config.

The server config didnt fail. There was no typo.

You’ve asked nginx to load a non-existing file. That’s an obvious
error which is easy to detect. The above paragraph tries to
explain why the nginx behaviour is such a situation is to reject
the configuration, and why this behaviour won’t be changed.


Maxim D.
http://nginx.org/

If you want nginx to only load existing certificates, you’ll have
to teach it to do so by only using appropriate directives when
certificates and keys are actually available. The “include”
directive may help if you want to automate this, see
http://nginx.org/r/include.

I dont see how include here helps. Basically currently there is no
certificate. And i want to give the user control over the certificate
which is why i placed in ~/etc/. Which means when the user deletes it
the server wont restart.

Also i do not believe its proper to fail the entire server if one
server block fails.

Current approach is as follows: if there is a problem with a
configuration, nginx will refuse to use it. This way, if you’ll
make an typo in your configuration and ask nginx to reload the
configuration, nginx will just refuse to load bad configuration
and will continue to work with old one. This makes sure that
nginx won’t suddenly become half-working due to a typo which can
be easily detected.

The server config didnt fail. There was no typo.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs