initial commit

doc/examples/ssl/README.md

@@ -0,0 +1,67 @@
+# SSL with subdomains
+
+consult [Dockerfile](Dockerfile) or [docker-compose.yml](docker-compose.yml) - both are simple and fine enough.
+
+---
+
+configuration:
+
+```nginx
+server {
+    listen 8443 ssl;
+
+    server_name www.example.org;
+
+    ssl_certificate      tls/www.example.org.chain.crt;
+    ssl_certificate_key  tls/www.example.org.pem;
+
+    root static/www.example.org;
+}
+```
+
+---
+
+configuration for wildcard certificate:
+
+```nginx
+server {
+    listen 8443 ssl;
+
+    server_name .example.org;
+
+    ssl_certificate      tls/example.org.chain.crt;
+    ssl_certificate_key  tls/example.org.pem;
+
+    root static/example.org;
+}
+```
+
+*Note: certificate must have* `X509v3 Subject Alternative Name` *property with value like* `DNS:example.org, DNS:*.example.org` .
+
+---
+
+(optional) configuration for cut-off SSL server block (see [documentation](https://angie.software/en/configuration/modules/http/http_ssl/#ssl-reject-handshake) for rationale):
+
+```nginx
+server {
+    listen 8443 ssl default_server bind deferred;
+
+    server_name _;
+
+    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+
+    ## reject connections early
+    ssl_reject_handshake on;
+}
+```
+
+---
+
+Test URI e.g. with `curl`:
+```sh
+curl --insecure --resolve example.org:8443:127.0.0.1 https://example.org:8443/
+
+curl --insecure --resolve www.example.org:8443:127.0.0.1 https://www.example.org:8443/
+
+curl --insecure --resolve test.example.org:8443:127.0.0.1 https://test.example.org:8443/
+```