Forum: NGINX SNI support for nginx

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
De7b680154f831d87d8ea48743852f14?d=identicon&s=25 Sushma (Guest)
on 2016-07-04 12:31
(Received via mailing list)
Hi,

I am relatively new to nginx.
I would like to setup multiple domains on the same port. Nginx has SNI
support enabled.
Do i have to still point to the right ssl certificate and ssl private in
each of server blocks  using the ssl_certificate directive?
Or is there a way, nginx will be able to dynamically figure out the cert
to
be presented without it being explicitly mentioned via the directive
ssl_certificate?

Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,268024,268024#msg-268024
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2016-07-04 13:19
(Received via mailing list)
Hello!

On Mon, Jul 04, 2016 at 06:31:02AM -0400, Sushma wrote:

> I am relatively new to nginx.
> I would like to setup multiple domains on the same port. Nginx has SNI
> support enabled.
> Do i have to still point to the right ssl certificate and ssl private in
> each of server blocks  using the ssl_certificate directive?

Yes.

> Or is there a way, nginx will be able to dynamically figure out the cert to
> be presented without it being explicitly mentioned via the directive
> ssl_certificate?

No.

--
Maxim Dounin
http://nginx.org/
187c77fbd13c54f990b63d0df95a6cb1?d=identicon&s=25 Pratyush Kumar (Guest)
on 2016-07-04 13:21
(Received via mailing list)
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
29d6201ee31671d3341ce5452f21bbc5?d=identicon&s=25 Christian Rohmann (Guest)
on 2016-07-06 08:58
(Received via mailing list)
On 07/04/2016 12:31 PM, Sushma wrote:
> Or is there a way, nginx will be able to dynamically figure out the cert to
> be presented without it being explicitly mentioned via the directive
> ssl_certificate?

After some research not statically by configuration. But using a bit of
lua could offer a way to maybe make this happen. Something like:
https://litespeed.io/dynamic-tls-certificates-with...



Regards

Christian
37f3ea777f96500b332a1a89d6027897?d=identicon&s=25 Yichun Zhang (agentzh) (Guest)
on 2016-07-07 07:55
(Received via mailing list)
Hello!

On Tue, Jul 5, 2016 at 11:57 PM, Christian Rohmann wrote:
> On 07/04/2016 12:31 PM, Sushma wrote:
>> Or is there a way, nginx will be able to dynamically figure out the cert to
>> be presented without it being explicitly mentioned via the directive
>> ssl_certificate?
>
> After some research not statically by configuration. But using a bit of
> lua could offer a way to maybe make this happen. Something like:
>
https://litespeed.io/dynamic-tls-certificates-with...
>

Aye. CloudFlare, for example, has been using ssl_certificate_by_lua*
with the ngx.ssl Lua module to lazily load a *lot* of SSL certificates
and private keys from remote services (via nonblocking IO) only on
demand in its global SSL gateway network for long. With lazy loading
and local caching (via lua_shared_dict and/or lua-resty-lrucache), the
flexibility and performance can be both excellent. You can not only
look up your SSL credentials via SNI, but also via the server IP
address the client is accessing (for older SSL clients that do not
support TLS SNI).

The formal documentation for this feature is:

    https://github.com/openresty/lua-nginx-module/#ssl...

    https://github.com/openresty/lua-resty-core/blob/m...

Even dynamic OCSP stapling is supported ;)

The easiest way to get everything setup is to use the OpenResty bundle
BTW:

    http://openresty.org/en/

Have fun!

Best regards,
-agentzh
This topic is locked and can not be replied to.