Path: blob/main/xml/en/docs/http/configuring_https_servers.xml
1 views
<!--1Copyright (C) Igor Sysoev2Copyright (C) Nginx, Inc.3-->45<!DOCTYPE article SYSTEM "../../../../dtd/article.dtd">67<article name="Configuring HTTPS servers"8link="/en/docs/http/configuring_https_servers.html"9lang="en"10rev="19"11author="Igor Sysoev"12editor="Brian Mercer">1314<section>1516<para>17To configure an HTTPS server, the <literal>ssl</literal> parameter18must be enabled on19<link doc="ngx_http_core_module.xml" id="listen">listening sockets</link>20in the <link doc="ngx_http_core_module.xml" id="server"/> block,21and the locations of the22<link doc="ngx_http_ssl_module.xml" id="ssl_certificate">server certificate</link>23and24<link doc="ngx_http_ssl_module.xml" id="ssl_certificate_key">private key</link>25files should be specified:2627<programlisting>28server {29listen 443 <b>ssl</b>;30server_name www.example.com;31ssl_certificate <b>www.example.com.crt</b>;32ssl_certificate_key <b>www.example.com.key</b>;33ssl_protocols TLSv1.2 TLSv1.3;34ssl_ciphers HIGH:!aNULL:!MD5;35...36}37</programlisting>3839The server certificate is a public entity.40It is sent to every client that connects to the server.41The private key is a secure entity and should be stored in a file with42restricted access, however, it must be readable by nginx’s master process.43The private key may alternately be stored in the same file as the certificate:4445<programlisting>46ssl_certificate www.example.com.cert;47ssl_certificate_key www.example.com.cert;48</programlisting>4950in which case the file access rights should also be restricted.51Although the certificate and the key are stored in one file,52only the certificate is sent to a client.53</para>5455<para>56The directives <link doc="ngx_http_ssl_module.xml" id="ssl_protocols"/> and57<link doc="ngx_http_ssl_module.xml" id="ssl_ciphers"/>58can be used to limit connections59to include only the strong versions and ciphers of SSL/TLS.60By default nginx uses61“<literal>ssl_protocols TLSv1.2 TLSv1.3</literal>”62and “<literal>ssl_ciphers HIGH:!aNULL:!MD5</literal>”,63so configuring them explicitly is generally not needed.64Note that default values of these directives were65<link id="compatibility">changed</link> several times.66</para>6768</section>697071<section id="optimization" name="HTTPS server optimization">7273<para>74SSL operations consume extra CPU resources.75On multi-processor systems several76<link doc="../ngx_core_module.xml" id="worker_processes">worker processes</link>77should be run,78no less than the number of available CPU cores.79The most CPU-intensive operation is the SSL handshake.80There are two ways to minimize the number of these operations per client:81the first is by enabling82<link doc="ngx_http_core_module.xml" id="keepalive_timeout">keepalive</link>83connections to send several84requests via one connection and the second is to reuse SSL session85parameters to avoid SSL handshakes for parallel and subsequent connections.86The sessions are stored in an SSL session cache shared between workers87and configured by the88<link doc="ngx_http_ssl_module.xml" id="ssl_session_cache"/>89directive.90One megabyte of the cache contains about 4000 sessions.91The default cache timeout is 5 minutes.92It can be increased by using the93<link doc="ngx_http_ssl_module.xml" id="ssl_session_timeout"/>94directive.95Here is a sample configuration optimized for a multi-core system96with 10 megabyte shared session cache:9798<programlisting>99<b>worker_processes auto</b>;100101http {102<b>ssl_session_cache shared:SSL:10m</b>;103<b>ssl_session_timeout 10m</b>;104105server {106listen 443 ssl;107server_name www.example.com;108<b>keepalive_timeout 70</b>;109110ssl_certificate www.example.com.crt;111ssl_certificate_key www.example.com.key;112ssl_protocols TLSv1.2 TLSv1.3;113ssl_ciphers HIGH:!aNULL:!MD5;114...115</programlisting>116</para>117118</section>119120121<section id="chains" name="SSL certificate chains">122123<para>124Some browsers may complain about a certificate signed by a well-known125certificate authority, while other browsers may accept the certificate126without issues.127This occurs because the issuing authority has signed the server certificate128using an intermediate certificate that is not present in the certificate129base of well-known trusted certificate authorities which is distributed130with a particular browser.131In this case the authority provides a bundle of chained certificates132which should be concatenated to the signed server certificate.133The server certificate must appear before the chained certificates134in the combined file:135136<programlisting>137$ cat www.example.com.crt bundle.crt > www.example.com.chained.crt138</programlisting>139140The resulting file should be used in the141<link doc="ngx_http_ssl_module.xml" id="ssl_certificate"/> directive:142143<programlisting>144server {145listen 443 ssl;146server_name www.example.com;147ssl_certificate www.example.com.chained.crt;148ssl_certificate_key www.example.com.key;149...150}151</programlisting>152153If the server certificate and the bundle have been concatenated in the wrong154order, nginx will fail to start and will display the error message:155156<programlisting>157SSL_CTX_use_PrivateKey_file(" ... /www.example.com.key") failed158(SSL: error:05800074:x509 certificate routines::key values mismatch)159</programlisting>160161because nginx has tried to use the private key with the bundle’s162first certificate instead of the server certificate.163</para>164165<para>166Browsers usually store intermediate certificates which they receive167and which are signed by trusted authorities, so actively used browsers168may already have the required intermediate certificates and169may not complain about a certificate sent without a chained bundle.170To ensure the server sends the complete certificate chain,171the <command>openssl</command> command-line utility may be used, for example:172173<programlisting>174$ openssl s_client -connect www.godaddy.com:443175...176Certificate chain1770 s:/C=US/ST=Arizona/L=Scottsdale/1.3.6.1.4.1.311.60.2.1.3=US178/1.3.6.1.4.1.311.60.2.1.2=AZ/O=GoDaddy.com, Inc179/OU=MIS Department/<b>CN=www.GoDaddy.com</b>180/serialNumber=0796928-7/2.5.4.15=V1.0, Clause 5.(b)181i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc.182/OU=http://certificates.godaddy.com/repository183/CN=Go Daddy Secure Certification Authority184/serialNumber=079692871851 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc.186/OU=http://certificates.godaddy.com/repository187/CN=Go Daddy Secure Certification Authority188/serialNumber=07969287189i:/C=US/O=The Go Daddy Group, Inc.190/OU=Go Daddy Class 2 Certification Authority1912 s:/C=US/O=The Go Daddy Group, Inc.192/OU=Go Daddy Class 2 Certification Authority193i:/L=ValiCert Validation Network/O=<b>ValiCert, Inc.</b>194/OU=ValiCert Class 2 Policy Validation Authority195/CN=http://www.valicert.com//[email protected]196...197</programlisting>198199In this example the subject (“<i>s</i>”) of the200<literal>www.GoDaddy.com</literal> server certificate #0 is signed by an issuer201(“<i>i</i>”) which itself is the subject of the certificate #1,202which is signed by an issuer which itself is the subject of the certificate #2,203which signed by the well-known issuer <i>ValiCert, Inc.</i>204whose certificate is stored in the browsers’ built-in205certificate base (that lay in the house that Jack built).206</para>207208<para>209If a certificate bundle has not been added, only the server certificate #0210will be shown.211</para>212213</section>214215216<section id="single_http_https_server" name="A single HTTP/HTTPS server">217218<para>219It is possible to configure a single server that handles both HTTP220and HTTPS requests:221222<programlisting>223server {224listen 80;225listen 443 ssl;226server_name www.example.com;227ssl_certificate www.example.com.crt;228ssl_certificate_key www.example.com.key;229...230}231</programlisting>232233<note>234Prior to 0.7.14 SSL could not be enabled selectively for235individual listening sockets, as shown above.236SSL could only be enabled for the entire server using the237<link doc="ngx_http_ssl_module.xml" id="ssl"/> directive,238making it impossible to set up a single HTTP/HTTPS server.239The <literal>ssl</literal> parameter of the240<link doc="ngx_http_core_module.xml" id="listen"/> directive241was added to solve this issue.242The use of the243<link doc="ngx_http_ssl_module.xml" id="ssl"/> directive244in modern versions is thus discouraged;245it was removed in 1.25.1.246</note>247</para>248249</section>250251252<section id="name_based_https_servers" name="Name-based HTTPS servers">253254<para>255A common issue arises when configuring two or more HTTPS servers256listening on a single IP address:257258<programlisting>259server {260listen 443 ssl;261server_name www.example.com;262ssl_certificate www.example.com.crt;263...264}265266server {267listen 443 ssl;268server_name www.example.org;269ssl_certificate www.example.org.crt;270...271}272</programlisting>273274With this configuration a browser receives the default server’s certificate,275i.e. <literal>www.example.com</literal> regardless of the requested server name.276This is caused by SSL protocol behaviour.277The SSL connection is established before the browser sends an HTTP request278and nginx does not know the name of the requested server.279Therefore, it may only offer the default server’s certificate.280</para>281282<para>283The oldest and most robust method to resolve the issue284is to assign a separate IP address for every HTTPS server:285286<programlisting>287server {288listen 192.168.1.1:443 ssl;289server_name www.example.com;290ssl_certificate www.example.com.crt;291...292}293294server {295listen 192.168.1.2:443 ssl;296server_name www.example.org;297ssl_certificate www.example.org.crt;298...299}300</programlisting>301</para>302303304<section id="certificate_with_several_names"305name="An SSL certificate with several names">306307<para>308There are other ways that allow sharing a single IP address309between several HTTPS servers.310However, all of them have their drawbacks.311One way is to use a certificate with several names in312the SubjectAltName certificate field, for example,313<literal>www.example.com</literal> and <literal>www.example.org</literal>.314However, the SubjectAltName field length is limited.315</para>316317<para>318Another way is to use a certificate with a wildcard name, for example,319<literal>*.example.org</literal>.320A wildcard certificate secures all subdomains of the specified domain,321but only on one level.322This certificate matches <literal>www.example.org</literal>, but does not match323<literal>example.org</literal> and <literal>www.sub.example.org</literal>.324These two methods can also be combined.325A certificate may contain exact and wildcard names in the326SubjectAltName field, for example,327<literal>example.org</literal> and <literal>*.example.org</literal>.328</para>329330<para>331It is better to place a certificate file with several names and332its private key file at the <i>http</i> level of configuration333to inherit their single memory copy in all servers:334335<programlisting>336ssl_certificate common.crt;337ssl_certificate_key common.key;338339server {340listen 443 ssl;341server_name www.example.com;342...343}344345server {346listen 443 ssl;347server_name www.example.org;348...349}350</programlisting>351</para>352353</section>354355356<section id="sni" name="Server Name Indication">357358<para>359A more generic solution for running several HTTPS servers on a single360IP address is361<link url="http://en.wikipedia.org/wiki/Server_Name_Indication">TLS362Server Name Indication extension</link> (SNI, RFC 6066),363which allows a browser to pass a requested server name during the SSL handshake364and, therefore, the server will know which certificate it should use365for the connection.366SNI is currently367<link url="http://en.wikipedia.org/wiki/Server_Name_Indication#Support">supported</link>368by most modern browsers369and is a mandatory-to-implement extension in TLSv1.3,370though may not be used by some old or special clients.371<note>372Only domain names can be passed in SNI,373however some browsers may erroneously pass an IP address of the server374as its name if a request includes literal IP address.375One should not rely on this.376</note>377</para>378379<para>380In order to use SNI in nginx, it must be supported in both the381OpenSSL library with which the nginx binary has been built as well as382the library to which it is being dynamically linked at run time.383OpenSSL supports SNI since 0.9.8f version if it was built with config option384<nobr>“--enable-tlsext”.</nobr>385Since OpenSSL 0.9.8j this option is enabled by default.386If nginx was built with SNI support, then nginx will show this387when run with the “-V” switch:388389<programlisting>390$ nginx -V391...392TLS SNI support enabled393...394</programlisting>395396However, if the SNI-enabled nginx is linked dynamically to397an OpenSSL library without SNI support, nginx displays the warning:398399<programlisting>400nginx was built with SNI support, however, now it is linked401dynamically to an OpenSSL library which has no tlsext support,402therefore SNI is not available403</programlisting>404</para>405406</section>407408</section>409410411<section id="compatibility" name="Compatibility">412413<para>414<list type="bullet">415416<listitem>417The SNI support status has been shown by the “-V” switch418since 0.8.21 and 0.7.62.419</listitem>420421<listitem>422The <literal>ssl</literal> parameter of the423<link doc="ngx_http_core_module.xml" id="listen"/>424directive has been supported since 0.7.14.425Prior to 0.8.21 it could only be specified along with the426<literal>default</literal> parameter.427</listitem>428429<listitem>430SNI has been supported since 0.5.23.431</listitem>432433<listitem>434The shared SSL session cache has been supported since 0.5.6.435</listitem>436437</list>438</para>439440<para>441<list type="bullet">442443<listitem>444Version 1.27.3 and later: the default SSL protocols are445TLSv1.2 and TLSv1.3 (if supported by the OpenSSL library).446Otherwise, when OpenSSL 1.0.0 or older is used,447the default SSL protocols are TLSv1 and TLSv1.1.448</listitem>449450<listitem>451Version 1.23.4 and later: the default SSL protocols are TLSv1,452TLSv1.1, TLSv1.2, and TLSv1.3 (if supported by the OpenSSL library).453</listitem>454455<listitem>456Version 1.9.1 and later: the default SSL protocols are TLSv1,457TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library).458</listitem>459460<listitem>461Version 0.7.65, 0.8.19 and later: the default SSL protocols are SSLv3, TLSv1,462TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library).463</listitem>464465<listitem>466Version 0.7.64, 0.8.18 and earlier: the default SSL protocols are SSLv2,467SSLv3, and TLSv1.468</listitem>469470</list>471</para>472473<para>474<list type="bullet">475476<listitem>477Version 1.0.5 and later: the default SSL ciphers are478“<literal>HIGH:!aNULL:!MD5</literal>”.479</listitem>480481<listitem>482Version 0.7.65, 0.8.20 and later: the default SSL ciphers are483“<literal>HIGH:!ADH:!MD5</literal>”.484</listitem>485486<listitem>487Version 0.8.19: the default SSL ciphers are488“<literal>ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM</literal>”.489</listitem>490491<listitem>492Version 0.7.64, 0.8.18 and earlier: the default SSL ciphers are<br/>493“<literal>ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</literal>”.494</listitem>495496</list>497</para>498499500</section>501502503</article>504505506