SNI support for nginx

Hi,

I am relatively new to nginx.
I would like to setup multiple domains on the same port. Nginx has SNI
support enabled.
Do i have to still point to the right ssl certificate and ssl private in
each of server blocks using the ssl_certificate directive?
Or is there a way, nginx will be able to dynamically figure out the cert
to
be presented without it being explicitly mentioned via the directive
ssl_certificate?

Posted at Nginx Forum:


nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx

Hello!

On Mon, Jul 04, 2016 at 06:31:02AM -0400, Sushma wrote:

I am relatively new to nginx.
I would like to setup multiple domains on the same port. Nginx has SNI
support enabled.
Do i have to still point to the right ssl certificate and ssl private in
each of server blocks using the ssl_certificate directive?

Yes.

Or is there a way, nginx will be able to dynamically figure out the cert to
be presented without it being explicitly mentioned via the directive
ssl_certificate?

No.


Maxim D.
http://nginx.org/

On 07/04/2016 12:31 PM, Sushma wrote:

Or is there a way, nginx will be able to dynamically figure out the cert to
be presented without it being explicitly mentioned via the directive
ssl_certificate?

After some research not statically by configuration. But using a bit of
lua could offer a way to maybe make this happen. Something like:
https://litespeed.io/dynamic-tls-certificates-with-openresty-and-ssl_certificate_by_lua/

Regards

Christian

Hello!

On Tue, Jul 5, 2016 at 11:57 PM, Christian Rohmann wrote:

On 07/04/2016 12:31 PM, Sushma wrote:

Or is there a way, nginx will be able to dynamically figure out the cert to
be presented without it being explicitly mentioned via the directive
ssl_certificate?

After some research not statically by configuration. But using a bit of
lua could offer a way to maybe make this happen. Something like:

https://litespeed.io/dynamic-tls-certificates-with-openresty-and-ssl_certificate_by_lua/

Aye. CloudFlare, for example, has been using ssl_certificate_by_lua*
with the ngx.ssl Lua module to lazily load a lot of SSL certificates
and private keys from remote services (via nonblocking IO) only on
demand in its global SSL gateway network for long. With lazy loading
and local caching (via lua_shared_dict and/or lua-resty-lrucache), the
flexibility and performance can be both excellent. You can not only
look up your SSL credentials via SNI, but also via the server IP
address the client is accessing (for older SSL clients that do not
support TLS SNI).

The formal documentation for this feature is:

https://github.com/openresty/lua-nginx-module/#ssl_certificate_by_lua_block

https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl.md#readme

Even dynamic OCSP stapling is supported :wink:

The easiest way to get everything setup is to use the OpenResty bundle
BTW:

http://openresty.org/en/

Have fun!

Best regards,
-agentzh