1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
|
=encoding utf-8
=head1 Name
configuring_https_servers - Configuring HTTPS servers
=head1
To configure an HTTPS server, the C<ssl> parameter
must be enabled on
L<listening sockets|ngx_http_core_module>
in the L<ngx_http_core_module> block,
and the locations of the
L<server certificate|ngx_http_ssl_module>
and
L<private key|ngx_http_ssl_module>
files should be specified:
server {
listen 443 <b>ssl</b>;
server_name www.example.com;
ssl_certificate <b>www.example.com.crt</b>;
ssl_certificate_key <b>www.example.com.key</b>;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
...
}
The server certificate is a public entity.
It is sent to every client that connects to the server.
The private key is a secure entity and should be stored in a file with
restricted access, however, it must be readable by nginx’s master process.
The private key may alternately be stored in the same file as the certificate:
ssl_certificate www.example.com.cert;
ssl_certificate_key www.example.com.cert;
in which case the file access rights should also be restricted.
Although the certificate and the key are stored in one file,
only the certificate is sent to a client.
The directives L<ngx_http_ssl_module> and
L<ngx_http_ssl_module>
can be used to limit connections
to include only the strong versions and ciphers of SSLE<sol>TLS.
By default nginx uses
“C<ssl_protocols TLSv1.2 TLSv1.3>”
and “C<ssl_ciphers HIGH:!aNULL:!MD5>”,
so configuring them explicitly is generally not needed.
Note that default values of these directives were
changed several times.
=head1 HTTPS server optimization
SSL operations consume extra CPU resources.
On multi-processor systems several
L<worker processes|ngx_core_module>
should be run,
no less than the number of available CPU cores.
The most CPU-intensive operation is the SSL handshake.
There are two ways to minimize the number of these operations per client:
the first is by enabling
L<keepalive|ngx_http_core_module>
connections to send several
requests via one connection and the second is to reuse SSL session
parameters to avoid SSL handshakes for parallel and subsequent connections.
The sessions are stored in an SSL session cache shared between workers
and configured by the
L<ngx_http_ssl_module>
directive.
One megabyte of the cache contains about 4000 sessions.
The default cache timeout is 5 minutes.
It can be increased by using the
L<ngx_http_ssl_module>
directive.
Here is a sample configuration optimized for a multi-core system
with 10 megabyte shared session cache:
<b>worker_processes auto</b>;
http {
<b>ssl_session_cache shared:SSL:10m</b>;
<b>ssl_session_timeout 10m</b>;
server {
listen 443 ssl;
server_name www.example.com;
<b>keepalive_timeout 70</b>;
ssl_certificate www.example.com.crt;
ssl_certificate_key www.example.com.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
...
=head1 SSL certificate chains
Some browsers may complain about a certificate signed by a well-known
certificate authority, while other browsers may accept the certificate
without issues.
This occurs because the issuing authority has signed the server certificate
using an intermediate certificate that is not present in the certificate
base of well-known trusted certificate authorities which is distributed
with a particular browser.
In this case the authority provides a bundle of chained certificates
which should be concatenated to the signed server certificate.
The server certificate must appear before the chained certificates
in the combined file:
$ cat www.example.com.crt bundle.crt > www.example.com.chained.crt
The resulting file should be used in the
L<ngx_http_ssl_module> directive:
server {
listen 443 ssl;
server_name www.example.com;
ssl_certificate www.example.com.chained.crt;
ssl_certificate_key www.example.com.key;
...
}
If the server certificate and the bundle have been concatenated in the wrong
order, nginx will fail to start and will display the error message:
SSL_CTX_use_PrivateKey_file(" ... /www.example.com.key") failed
(SSL: error:0B080074:x509 certificate routines:
X509_check_private_key:key values mismatch)
because nginx has tried to use the private key with the bundle’s
first certificate instead of the server certificate.
Browsers usually store intermediate certificates which they receive
and which are signed by trusted authorities, so actively used browsers
may already have the required intermediate certificates and
may not complain about a certificate sent without a chained bundle.
To ensure the server sends the complete certificate chain,
the C<openssl> command-line utility may be used, for example:
$ openssl s_client -connect www.godaddy.com:443
...
Certificate chain
0 s:/C=US/ST=Arizona/L=Scottsdale/1.3.6.1.4.1.311.60.2.1.3=US
/1.3.6.1.4.1.311.60.2.1.2=AZ/O=GoDaddy.com, Inc
/OU=MIS Department/<b>CN=www.GoDaddy.com</b>
/serialNumber=0796928-7/2.5.4.15=V1.0, Clause 5.(b)
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc.
/OU=http://certificates.godaddy.com/repository
/CN=Go Daddy Secure Certification Authority
/serialNumber=07969287
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc.
/OU=http://certificates.godaddy.com/repository
/CN=Go Daddy Secure Certification Authority
/serialNumber=07969287
i:/C=US/O=The Go Daddy Group, Inc.
/OU=Go Daddy Class 2 Certification Authority
2 s:/C=US/O=The Go Daddy Group, Inc.
/OU=Go Daddy Class 2 Certification Authority
i:/L=ValiCert Validation Network/O=<b>ValiCert, Inc.</b>
/OU=ValiCert Class 2 Policy Validation Authority
/CN=http://www.valicert.com//emailAddress=info@valicert.com
...
B<NOTE>
When testing configurations with SNI,
it is important to specify the C<-servername> option
as C<openssl> does not use SNI by default.
In this example the subject (“I<s>”) of the
C<www.GoDaddy.com> server certificate #0 is signed by an issuer
(“I<i>”) which itself is the subject of the certificate #1,
which is signed by an issuer which itself is the subject of the certificate #2,
which signed by the well-known issuer I<ValiCert, Inc.>
whose certificate is stored in the browsers’ built-in
certificate base (that lay in the house that Jack built).
If a certificate bundle has not been added, only the server certificate #0
will be shown.
=head1 A single HTTP/HTTPS server
It is possible to configure a single server that handles both HTTP
and HTTPS requests:
server {
listen 80;
listen 443 ssl;
server_name www.example.com;
ssl_certificate www.example.com.crt;
ssl_certificate_key www.example.com.key;
...
}
B<NOTE>
Prior to 0.7.14 SSL could not be enabled selectively for
individual listening sockets, as shown above.
SSL could only be enabled for the entire server using the
L<ngx_http_ssl_module> directive,
making it impossible to set up a single HTTPE<sol>HTTPS server.
The C<ssl> parameter of the
L<ngx_http_core_module> directive
was added to solve this issue.
The use of the
L<ngx_http_ssl_module> directive
in modern versions is thus discouraged.
=head1 Name-based HTTPS servers
A common issue arises when configuring two or more HTTPS servers
listening on a single IP address:
server {
listen 443 ssl;
server_name www.example.com;
ssl_certificate www.example.com.crt;
...
}
server {
listen 443 ssl;
server_name www.example.org;
ssl_certificate www.example.org.crt;
...
}
With this configuration a browser receives the default server’s certificate,
i.e. C<www.example.com> regardless of the requested server name.
This is caused by SSL protocol behaviour.
The SSL connection is established before the browser sends an HTTP request
and nginx does not know the name of the requested server.
Therefore, it may only offer the default server’s certificate.
The oldest and most robust method to resolve the issue
is to assign a separate IP address for every HTTPS server:
server {
listen 192.168.1.1:443 ssl;
server_name www.example.com;
ssl_certificate www.example.com.crt;
...
}
server {
listen 192.168.1.2:443 ssl;
server_name www.example.org;
ssl_certificate www.example.org.crt;
...
}
=head2 An SSL certificate with several names
There are other ways that allow sharing a single IP address
between several HTTPS servers.
However, all of them have their drawbacks.
One way is to use a certificate with several names in
the SubjectAltName certificate field, for example,
C<www.example.com> and C<www.example.org>.
However, the SubjectAltName field length is limited.
Another way is to use a certificate with a wildcard name, for example,
C<*.example.org>.
A wildcard certificate secures all subdomains of the specified domain,
but only on one level.
This certificate matches C<www.example.org>, but does not match
C<example.org> and C<www.sub.example.org>.
These two methods can also be combined.
A certificate may contain exact and wildcard names in the
SubjectAltName field, for example,
C<example.org> and C<*.example.org>.
It is better to place a certificate file with several names and
its private key file at the I<http> level of configuration
to inherit their single memory copy in all servers:
ssl_certificate common.crt;
ssl_certificate_key common.key;
server {
listen 443 ssl;
server_name www.example.com;
...
}
server {
listen 443 ssl;
server_name www.example.org;
...
}
=head2 Server Name Indication
A more generic solution for running several HTTPS servers on a single
IP address is
L<TLS
Server Name Indication extension|http://en.wikipedia.org/wiki/Server_Name_Indication> (SNI, RFC 6066),
which allows a browser to pass a requested server name during the SSL handshake
and, therefore, the server will know which certificate it should use
for the connection.
SNI is currently
L<supported|http://en.wikipedia.org/wiki/Server_Name_Indication#Support>
by most modern browsers, though may not be used by some old or special clients.
B<NOTE>
Only domain names can be passed in SNI,
however some browsers may erroneously pass an IP address of the server
as its name if a request includes literal IP address.
One should not rely on this.
In order to use SNI in nginx, it must be supported in both the
OpenSSL library with which the nginx binary has been built as well as
the library to which it is being dynamically linked at run time.
OpenSSL supports SNI since 0.9.8f version if it was built with config option
“--enable-tlsext”.
Since OpenSSL 0.9.8j this option is enabled by default.
If nginx was built with SNI support, then nginx will show this
when run with the “-V” switch:
$ nginx -V
...
TLS SNI support enabled
...
However, if the SNI-enabled nginx is linked dynamically to
an OpenSSL library without SNI support, nginx displays the warning:
nginx was built with SNI support, however, now it is linked
dynamically to an OpenSSL library which has no tlsext support,
therefore SNI is not available
=head1 Compatibility
=over
=item *
The SNI support status has been shown by the “-V” switch
since 0.8.21 and 0.7.62.
=item *
The C<ssl> parameter of the
L<ngx_http_core_module>
directive has been supported since 0.7.14.
Prior to 0.8.21 it could only be specified along with the
C<default> parameter.
=item *
SNI has been supported since 0.5.23.
=item *
The shared SSL session cache has been supported since 0.5.6.
=back
=over
=item *
Version 1.27.3 and later: the default SSL protocols are
TLSv1.2 and TLSv1.3 (if supported by the OpenSSL library).
Otherwise, when OpenSSL 1.0.0 or older is used,
the default SSL protocols are TLSv1 and TLSv1.1.
=item *
Version 1.23.4 and later: the default SSL protocols are TLSv1,
TLSv1.1, TLSv1.2, and TLSv1.3 (if supported by the OpenSSL library).
=item *
Version 1.9.1 and later: the default SSL protocols are TLSv1,
TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library).
=item *
Version 0.7.65, 0.8.19 and later: the default SSL protocols are SSLv3, TLSv1,
TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library).
=item *
Version 0.7.64, 0.8.18 and earlier: the default SSL protocols are SSLv2,
SSLv3, and TLSv1.
=back
=over
=item *
Version 1.0.5 and later: the default SSL ciphers are
“C<HIGH:!aNULL:!MD5>”.
=item *
Version 0.7.65, 0.8.20 and later: the default SSL ciphers are
“C<HIGH:!ADH:!MD5>”.
=item *
Version 0.8.19: the default SSL ciphers are
“C<ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM>”.
=item *
Version 0.7.64, 0.8.18 and earlier: the default SSL ciphers are
“C<ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP>”.
=back
|
