Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow vhost ssl cert andn key inheritance from http section #945

Merged
merged 1 commit into from
Oct 26, 2016
Merged

Allow vhost ssl cert andn key inheritance from http section #945

merged 1 commit into from
Oct 26, 2016

Conversation

jeffmccune
Copy link
Contributor

Without this patch the SSL cert and key are always configured within vhost
server blocks. This is a problem when using a single wildcard certificate
operating with multiple virtual host entries because the configuration results
in increased memory consumption according to the NGINX documentation:

It is better to place a certificate file with several names and its private key
file at the http level of configuration to inherit their single memory copy in
all servers.

This patch addresses the problem by making it possible to pass the boolean
value false to the ssl_key and ssl_cert parameters. When doing so, the SSL
key and certificate will be inherited from the http section of the
configuration.

References:

@jeffmccune
Allow vhost ssl cert andn key inheritance from http section
566607a 
Without this patch the SSL cert and key are always configured within vhost
server blocks.  This is a problem when using a single wildcard certificate
operating with multiple virtual host entries because the configuration results
in increased memory consumption according to the NGINX documentation:

> It is better to place a certificate file with several names and its private key
> file at the http level of configuration to inherit their single memory copy in
> all servers.

This patch addresses the problem by making it possible to pass the boolean value
`false` to the ssl_key and ssl_cert parameters.  When doing so, the SSL key and
certificate will be inherited from the http section of the configuration.

References:

 * http://nginx.org/en/docs/http/configuring_https_servers.html#name_based_https_servers
@wyardley
Copy link
Collaborator

This seems similar to #794 (though that one is not in working state right now).
Looks pretty sensible to me, and thanks for adding tests. I'm not sure what the deal is with the coveralls failure, but I've been getting those too, I'll ask around.

@bastelfreak
Copy link
Member

thanks @jeffmccune !

@bastelfreak bastelfreak merged commit 9f5c074 into voxpupuli:master Oct 26, 2016
This was referenced Oct 26, 2016
Closed
Closed
Rubueno pushed a commit to Rubueno/puppet-nginx that referenced this pull request Oct 19, 2020
@bastelfreak
Merge pull request voxpupuli#945 from jeffmccune/better_ssl
9d3f205 
Allow vhost ssl cert andn key inheritance from http section
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jeffmccune @wyardley @bastelfreak