This section describes how to configure an HTTPS server on NGINX and NGINX Plus.
To set up an HTTPS server, in your nginx.conf file specify the ssl
parameter with the listen
directive in the server
block then set the locations of the server certificate and private key files:
server {
listen 443 ssl;
server_name www.example.com;
ssl_certificate www.example.com.crt;
ssl_certificate_key www.example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
...
}
The server certificate is a public entity. It is sent to every client that connects to the server. The private key is a secure entity and should be stored in a file with restricted access. However, nginx’s master process must be able to read this file. The private key may alternately be stored in the same file as the certificate:
ssl_certificate www.example.com.cert;
ssl_certificate_key www.example.com.cert;
In this case the file access rights should also be restricted. Though the certificate and the key are be stored in one file in this case, only the certificate is sent to a client.
The ssl_protocols
and ssl_ciphers
directives can be used to limit connections to include only the strong versions and ciphers of SSL/TLS.
Since version 1.0.5, NGINX uses ssl_protocols SSLv3 TLSv1
and ssl_ciphers HIGH:!aNULL:!MD5
by default; since versions 1.1.13 and 1.0.12, the default was updated to ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2
.
Vulnerabilities are sometimes found in the design of older ciphers, and you would be wise to disable these in a modern NGINX configuration (unfortunately, the default configuration cannot easily be changed because of concerns of backward compatibility for existing NGINX deployments). Please note that CBC-mode ciphers might be vulnerable to a number of attacks, the BEAST attack in particular (see CVE-2011-3389), and SSLv3 is best avoided unless you need to support legacy clients due to the POODLE attack.
SSL operations consume extra CPU resources. The most CPU-intensive operation is the SSL handshake. There are two ways to minimize the number of these operations per client:
Sessions are stored in the SSL session cache shared between worker processes and configured by the ssl_session_cache
directive. One megabyte of cache contains about 4000 sessions. The default cache timeout is 5 minutes. This timeout can be increased using the ssl_session_timeout
directive. Below is a sample configuration optimized for a multi-core system with 10 megabyte shared session cache:
worker_processes auto;
http {
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
server {
listen 443 ssl;
server_name www.example.com;
keepalive_timeout 70;
ssl_certificate www.example.com.crt;
ssl_certificate_key www.example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
...
}
}
Some browsers may complain about a certificate signed by a well-known certificate authority, while other browsers may accept the certificate without issues. This occurs because the issuing authority has signed the server certificate using an intermediate certificate that is not present in the base of well-known trusted certificate authorities which is distributed in a particular browser. In this case the authority provides a bundle of chained certificates that should be concatenated to the signed server certificate. The server certificate must appear before the chained certificates in the combined file:
$ cat www.example.com.crt bundle.crt > www.example.com.chained.crt
The resulting file should be used in the ssl_certificate
directive:
server {
listen 443 ssl;
server_name www.example.com;
ssl_certificate www.example.com.chained.crt;
ssl_certificate_key www.example.com.key;
...
}
If the server certificate and the bundle have been concatenated in the wrong order, NGINX will fail to start and will display the following error message:
SSL_CTX_use_PrivateKey_file(" ... /www.example.com.key") failed
(SSL: error:0B080074:x509 certificate routines:
X509_check_private_key:key values mismatch)
The error happens because NGINX has tried to use the private key with the bundle’s first certificate instead of the server certificate.
Browsers usually store intermediate certificates which they receive and are signed by trusted authorities. So actively used browsers may already have the required intermediate certificates and may not complain about a certificate sent without a chained bundle. To ensure the server sends the complete certificate chain the openssl command-line utility may be used:
$ openssl s_client -connect www.godaddy.com:443
...
Certificate chain
0 s:/C=US/ST=Arizona/L=Scottsdale/1.3.6.1.4.1.311.60.2.1.3=US
/1.3.6.1.4.1.311.60.2.1.2=AZ/O=GoDaddy.com, Inc
/OU=MIS Department/CN=www.GoDaddy.com
/serialNumber=0796928-7/2.5.4.15=V1.0, Clause 5.(b)
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc.
/OU=http://certificates.godaddy.com/repository
/CN=Go Daddy Secure Certification Authority
/serialNumber=07969287
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc.
/OU=http://certificates.godaddy.com/repository
/CN=Go Daddy Secure Certification Authority
/serialNumber=07969287
i:/C=US/O=The Go Daddy Group, Inc.
/OU=Go Daddy Class 2 Certification Authority
2 s:/C=US/O=The Go Daddy Group, Inc.
/OU=Go Daddy Class 2 Certification Authority
i:/L=ValiCert Validation Network/O=ValiCert, Inc.
/OU=ValiCert Class 2 Policy Validation Authority
/CN=http://www.valicert.com//emailAddress=info@valicert.com
...
In this example the subject (“s
”) of the www.GoDaddy.com
server certificate #0
is signed by an issuer (“i”
) which itself is the subject of the certificate #1. This certificate #1 is signed by an issuer which itself is the subject of the certificate #2. This certificate, however, is signed by the well-known issuer ValiCert, Inc.
whose certificate is stored in the browsers themselves.
If a certificate bundle has not been added, only the server certificate #0 will be shown.
It is possible to configure a single server that handles both HTTP and HTTPS requests by placing one listen
directive with the ssl
parameter and one without in the same virtual server:
server {
listen 80;
listen 443 ssl;
server_name www.example.com;
ssl_certificate www.example.com.crt;
ssl_certificate_key www.example.com.key;
...
}
In NGINX version 0.7.13 and earlier, SSL cannot be enabled selectively for individual listening sockets, as shown above. SSL can only be enabled for the entire server using the ssl
directive, making it impossible to set up a single HTTP/HTTPS server. The ssl
parameter to the listen
directive was added to solve this issue. The ssl
directive therefore is not be be used in version 0.7.14 and later.
A common issue arises when two or more HTTPS servers are configured to listen on a single IP address:
server {
listen 443 ssl;
server_name www.example.com;
ssl_certificate www.example.com.crt;
...
}
server {
listen 443 ssl;
server_name www.example.org;
ssl_certificate www.example.org.crt;
...
}
With this configuration, a browser receives the default server’s certificate. In this case, it is www.example.com
regardless of the requested server name. This is caused by the SSL protocol behaviour itself. The SSL connection is established before the browser sends an HTTP request and NGINX does not know the name of the requested server. Therefore, it may only offer the default server’s certificate.
The best way to solve this issue is to assign a separate IP address to every HTTPS server:
server {
listen 192.168.1.1:443 ssl;
server_name www.example.com;
ssl_certificate www.example.com.crt;
...
}
server {
listen 192.168.1.2:443 ssl;
server_name www.example.org;
ssl_certificate www.example.org.crt;
...
}
Note that there are also some specific proxy settings for HTTPS upstreams (proxy_ssl_ciphers
/proxy_ssl_protocols
, and proxy_ssl_session_reuse
) which can be used for fine tuning SSL between nginx and upstreams. You can read more about these in the http proxy module documentation.
There are other ways for sharing a single IP address between several HTTPS servers. However, all of them have their particular drawbacks. One way is to use a certificate with several names in the SubjectAltName
certificate field, for example, www.example.com
and www.example.org
. However, the SubjectAltName
field length is limited.
Another way is to use a certificate with a wildcard name, for example, *.example.org
. A wildcard certificate secures all subdomains of the specified domain, but only on one level. This certificate matches www.example.org
, but does not match example.org
or www.sub.example.org
. These two methods can also be combined. A certificate may contain exact and wildcard names in the SubjectAltName
field. For example, example.org
and *.example.org
.
It is better to place a certificate file with several names and its private key file at the http level of your configuration so that they inherit the single memory copy across all servers:
ssl_certificate common.crt;
ssl_certificate_key common.key;
server {
listen 443 ssl;
server_name www.example.com;
...
}
server {
listen 443 ssl;
server_name www.example.org;
...
}
A more generic solution for running several HTTPS servers on a single IP address is the TLS Server Name Indication extension (SNI, RFC 6066), which allows a browser to pass a requested server name during the SSL handshake. With this solution, the server will know which certificate it should use for the connection. However, SNI has limited browser support. Currently it is supported starting with the following browser versions:
Opera 8.0;
MSIE 7.0 (but only on Windows Vista or higher);
Firefox 2.0 and other browsers using Mozilla Platform rv:1.8.1;
Safari 3.2.1 (Windows version supports SNI on Vista or higher);
and Chrome (Windows version supports SNI on Vista or higher, too).
Only domain names can be passed in SNI. However, some browsers will pass the IP address of the server as its name if a request includes a literal IP address. It is best not to rely on this.
In order to use SNI in nginx, it must be supported in both the OpenSSL library with which the NGINX binary has been built with as well as the library which it is being dynamically linked with at run time. OpenSSL supports SNI since the 0.9.8f version if it was built with configuration option --enable-tlsext
. Since OpenSSL version 0.9.8j, this option is enabled by default. If NGINX was built with SNI support, NGINX shows the following when run with the -V
switch:
$ nginx -V
...
TLS SNI support enabled
...
However, if the SNI-enabled NGINX is linked dynamically to an OpenSSL library without SNI support, NGINX displays the warning:
NGINX was built with SNI support, however, now it is linked
dynamically to an OpenSSL library which has no tlsext support,
therefore SNI is not available
ssl
parameter of the listen
directive has been supported since version 0.7.14. Prior to version 0.8.21 it could only be specified along with the default
parameter.The shared SSL session cache has been supported since version 0.5.6.
From version 0.7.65, 0.8.19 and later the default SSL protocols are SSLv3, TLSv1, TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library).
From version 0.7.64, 0.8.18 and earlier the default SSL protocols are SSLv2, SSLv3, and TLSv1.
From version 1.0.5 and later the default SSL ciphers are HIGH:!aNULL:!MD5
HIGH:!ADH:!MD5
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP