If we configured SSL in Nginx and the Private Key files are encrypted,
then the following dialog occurs at Nginx startup time:
Enter PEM pass phrase:
It maybe difficulty for management. Sometimes it’s needed to avoid the
interactive dialogue at startup time.
So I develop the patch for Nginx ssl module. Wish it helpful!
Directive: ssl_pass_phrase_dialog
Description: Type of pass phrase dialog for encrypted private keys
Syntax: ssl_pass_phrase_dialog type
Default: ssl_pass_phrase_dialog builtin
Context: http, server
Usage:
When Nginx starts up it has to read the various Certificate (see
ssl_certificate) and Private Key (see ssl_certificate_key) files of the
SSL-enabled virtual servers. Because for security reasons the Private
Key files are usually encrypted, ngx_ssl module needs to query the
administrator for a Pass Phrase in order to decrypt those files. This
query can be done in two ways which can be configured by type:
builtin
This is the default where an interactive terminal dialog occurs at
startup time. Here the administrator has to manually enter the Pass
Phrase for each encrypted Private Key file.
exec:/path/to/program
Here an external program is configured which is called at startup
for each encrypted Private Key file.
Example:
(1) ssl_pass_phrase_dialog builtin;
The “Enter PEM pass phrase:” will occurs at the Nginx startup time.
(2) ssl_pass_phrase_dialog “exec:/home/ssl_files/ssl_pass_phrase.sh”;
The code of ssl_pass_phrase.sh:
#!/bin/sh
echo “password”
I’am very glad that this patch is useful for you.
The below is the patch or the diff. It’s based on the nginx 0.8.54 or
nginx 0.8.55.
Perhaps it also works for other version. Maybe you need to merge it by
hand.
/* To support echo command in Linux, Unix shell */
if (buf[strlen(buf) - 1] == ‘\n’) {
buf[strlen(buf) - 1] = '\0';
}
return strlen(buf);
+}
+/**
+* ngx_enhanced_system()
+*
+* @param[in] cmdstring : External command(executable or shell)
+* @param[out] buf : The buffer to store the result of the external
command.
+* @param[in] len : The length of the buffer.
+*
+* @return 0: success -1: fail
+/
+static int
+ngx_enhanced_system(char cmdstring, char* buf, int len)
+{
int fd[2];
pid_t pid;
int n, count;
memset(buf, 0, len);
if (pipe(fd) < 0) {
return -1;
}
if ((pid = fork()) < 0) {
return -1;
} else if (pid > 0) { /* parent process */
close(fd[1]); /* close write end */
count = 0;
while ((n = read(fd[0], buf + count, len)) > 0
&& count > len) {
count += n;
}
close(fd[0]);
if (waitpid(pid, NULL, 0) != pid) {
return -1;
}
} else { /* child process */
close(fd[0]); /* close read end */
if (fd[1] != STDOUT_FILENO) {
if (dup2(fd[1], STDOUT_FILENO) != STDOUT_FILENO) {
return -1;
}
close(fd[1]);
}
if (execl("/bin/sh", "sh", "-c", cmdstring, (char*)0) == -1) {