HttpSSL

This module enables HTTPS support.

It supports checking client certificates with two limitations:

  • it is not possible to assign the list of the abolished certificates (revocation lists)
  • if you have a chain certificate file (sometimes called an intermediate certificate) you don't specify it separately like you do in Apache. Instead you need to add the information from the chain cert to the end of your main certificate file. This can be done by typing "cat chain.crt >> mysite.com.crt" on the command line. Once that is done you won't use the chain cert file for anything else, you just point Nginx to the main certificate file.

By default the module is not built, it is necessary to specify that it be built with with the —with-http_ssl_module parameter to ./configure. Building this module requires the OpenSSL libraries and include-files, often are the necessary files in separate packages.

The following is an example configuration, to reduce the CPU load it is recommended to run one worker process only and to enable keep-alive connections:

  1. worker_processes 1;
  2. http {
  3. server {
  4. listen 443;
  5. ssl on;
  6. ssl_certificate /usr/local/nginx/conf/cert.pem;
  7. ssl_certificate_key /usr/local/nginx/conf/cert.key;
  8. keepalive_timeout 70;
  9. }
  10. }

When using chain certificates, just append the extra certificates into your .crt file (cert.pem in the example). Your own certificate needs to be on top of the file, otherwise key get a mismatch with the key.

Generate Certificates

To generate dummy certficates you can do this steps:

  1. $ cd /usr/local/nginx/conf
  2. $ openssl genrsa -des3 -out server.key 1024
  3. $ openssl req -new -key server.key -out server.csr
  4. $ cp server.key server.key.org
  5. $ openssl rsa -in server.key.org -out server.key
  6. $ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Configure the new certificate into nginx.conf:

  1. server {
  2. server_name YOUR_DOMAINNAME_HERE;
  3. listen 443;
  4. ssl on;
  5. ssl_certificate /usr/local/nginx/conf/server.crt;
  6. ssl_certificate_key /usr/local/nginx/conf/server.key;
  7. }

Restart Nginx.

Now all ready to access using:

  1. https://YOUR_DOMAINNAME_HERE

指令

ssl

syntax:ssl [on|off]

default:ssl off

context:main, server

Enables HTTPS for a server.

ssl_certificate

syntax:ssl_certificate file

default:ssl_certificate cert.pem

context:main, server

Indicates file with the certificate in PEM format for this virtual server. The same file can contain other certificates, and also secret key in PEM format. Since version 0.6.7 the file path is relative to directory of nginx configuration file nginx.conf, but not to nginx prefix directory.

ssl_certificate_key

syntax:ssl_certificate_key file

default:ssl_certificate_key cert.pem

context:main, server

Indicates file with the secret key in PEM format for this virtual server. Since version 0.6.7 the filename path is relative to directory of nginx configuration file nginx.conf, but not to nginx prefix directory.

ssl_client_certificate

syntax:ssl_client_certificate file

default:none

context:main, server

Indicates file with certificates CA in PEM format, utilized for checking the client certificates.

ssl_dhparam

syntax:ssl_dhparam file

default:none

context:main, server

Indicates file with Diffie-Hellman parameters in PEM format, utilized for negotiating TLS session keys.

ssl_ciphers

syntax:ssl_ciphers file

default:ssl_ciphers ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

context:main, server

Directive describes the permitted ciphers. Ciphers are assigned in the formats supported by OpenSSL, for example:

  1. ssl_ciphersALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;

Complete list can be looked with the following command:

  1. openssl ciphers

ssl_crl

syntax:ssl_crl file

default:none

context:http, server

This directive (0.8.7+) specifies a file with the revoked certificates (CRL) in the PEM, which is used to check for client certificates.

ssl_prefer_server_ciphers

syntax:ssl_prefer_server_ciphers [on|off]

default:ssl_prefer_server_ciphers off

context:main, server

Requires protocols SSLv3 and TLSv1 server ciphers be preferred over the client's ciphers.

ssl_protocols

syntax:ssl_protocols [SSLv2] [SSLv3] [TLSv1]

default:ssl_protocols SSLv2 SSLv3 TLSv1

context:main, server

Directive enables the protocols indicated.

ssl_verify_client

syntax:ssl_verify_client on|off|ask

default:ssl_verify_client off

context:main, server

Directive enables verifying client certificates. Parameter 'ask' checks a client certificate if it was offered.

ssl_verify_depth

syntax:ssl_verify_depth number

default:ssl_verify_depth 1

context:main, server

Sets depth checking in the chain of client certificates.

ssl_session_cache

syntax:ssl_session_cache off|none|builtin:size and/or shared:name:size

default:ssl_session_cache off

context:main, server

The directive sets the types and sizes of caches to store the SSL sessions.

The cache types are:

  • off — Hard off: nginx says explicitly to a client that sessions can not reused.
  • none — Soft off: nginx says to a client that session can be resued, but nginx actually never reuses them. This is workaround for some mail clients as ssl_session_cache may be used in mail proxy as well as in HTTP server.
  • builtin — the OpenSSL builtin cache, is used inside one worker process only. The cache size is assigned in the number of the sessions. Note: there appears to be a memory fragmentation issue using this method, please take that into consideration when using this. See "References" below.
  • shared — the cache is shared between all worker processes. The size of cache is assigned in the bytes, 1 MB cache can contain about 4000 sessions. Each shared cache must have arbitrary name. Cache with the same name can be used in several virtual servers.

It is possible to use both types of cache simultaneously, for example:

  1. ssl_session_cache builtin:1000 shared:SSL:10m;

However, the only shared cache usage without that builtin should be more effective.

ssl_session_timeout

syntax:ssl_session_timeout time

default:ssl_session_timeout 5m

context:main, server

Assigns the time during which the client can repeatedly use the parameters of the session, which is stored in the cache.

This module supports several nonstandard error codes which can be used for debugging with the aid of directive error_page:

  • 495 - error checking client certificate
  • 496 - client did not grant the required certificate
  • 497 - normal request was sent to HTTPS

Debugging is done after the request is completely dismantled and are accessible via variables such as $request_uri, $uri, $arg and others. Built-in variables Module ngx_http_ssl_module supports several built-in variables:

  • $ssl_cipher returns the line of those utilized it is cipher for established SSL-connection
  • $ssl_client_serial returns the series number of client certificate for established SSL-connection
  • $ssl_client_s_dn returns line subject DN of client certificate for established SSL-connection
  • $ssl_client_i_dn returns line issuer DN of client certificate for established SSL-connection
  • $ssl_protocol returns the protocol of established SSL-connection

ssl_engine

syntax:ssl_engine

This allows specifying the OpenSSL engine to use, like Padlock for example. It requires a more recent version of OpenSSL.

References

Original DocumentationSSL Memory Fragmentation and new default status for ssl_session_cache