1
0
angie-conv-image/doc/examples/ssl/README.md

68 lines
1.5 KiB
Markdown
Raw Normal View History

2024-09-20 03:10:13 +03:00
# SSL with subdomains
2024-11-08 14:19:36 +03:00
consult [Dockerfile](Dockerfile) or [docker-compose.yml](docker-compose.yml) - both are simple and fine enough.
2024-09-20 22:51:44 +03:00
---
2024-09-20 03:10:13 +03:00
configuration:
```nginx
server {
listen 8443 ssl;
2024-09-20 22:51:44 +03:00
server_name www.example.org;
2024-09-20 03:10:13 +03:00
2024-09-20 22:51:44 +03:00
ssl_certificate tls.d/www.example.org.chain.crt;
ssl_certificate_key tls.d/www.example.org.pem;
2024-09-20 03:10:13 +03:00
2024-09-20 22:51:44 +03:00
root static.d/www.example.org;
2024-09-20 03:10:13 +03:00
}
```
2024-09-20 22:51:44 +03:00
---
2024-09-20 03:10:13 +03:00
2024-09-20 22:51:44 +03:00
configuration for wildcard certificate:
2024-09-20 03:10:13 +03:00
2024-09-20 22:51:44 +03:00
```nginx
server {
listen 8443 ssl;
2024-09-20 03:10:13 +03:00
2024-09-20 22:51:44 +03:00
server_name .example.org;
ssl_certificate tls.d/example.org.chain.crt;
ssl_certificate_key tls.d/example.org.pem;
root static.d/example.org;
}
2024-09-20 03:10:13 +03:00
```
2024-09-20 22:51:44 +03:00
*Note: certificate must have* `X509v3 Subject Alternative Name` *property with value like* `DNS:example.org, DNS:*.example.org` .
---
(optional) configuration for cut-off SSL server block (see [documentation](https://angie.software/en/configuration/modules/http/http_ssl/#ssl-reject-handshake) for rationale):
2024-09-20 03:10:13 +03:00
```nginx
server {
listen 8443 ssl default_server bind deferred;
server_name _;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
## reject connections early
ssl_reject_handshake on;
}
```
2024-09-20 22:51:44 +03:00
---
2024-09-20 03:10:13 +03:00
Test URI e.g. with `curl`:
```sh
curl --cacert ./tls/ca/root-ca.crt --capath /nonexistent --resolve example.org:8443:127.0.0.1 https://example.org:8443/
curl --cacert ./tls/ca/root-ca.crt --capath /nonexistent --resolve www.example.org:8443:127.0.0.1 https://www.example.org:8443/
curl --cacert ./tls/ca/root-ca.crt --capath /nonexistent --resolve test.example.org:8443:127.0.0.1 https://test.example.org:8443/
```