Hi all,
Looking at the docs and recent list postings Naviserver supports virtual
hosting over ssl using SNI by defining multiple servers in the config
and specifying the certificate for each server. The downside of this is
that in order to add a new host you need to modify the config, rather
than just adding new certificates.
I'm thinking it would allow a simpler config to support having a scheme
matching the host name to the certificate file name implicitly, rather
than explicitly. That is, instead of looking for the certificate
configured for a matching nsssl server, look for a file matching
"directory/${host}.pem"
This could be mostly accomplished by having the config file create the
sections at runtime (i.e., at config load time) by scanning the desired
directory, but doing so would still require the server to be restarted
if a new certificate was added.
A config supporting this might look like
ns_section ns/module/nsssl {
ns_param port 8433
ns_param defaultserver s1
ns_param certificate /usr/local/ns/modules/nsssl/server.pem
ns_param sni_certificate /usr/local/ns/modules/nsssl/%host%.pem
}
with whatever placeholder syntax makes sense for "host" there. ($host
obviously can't work)
I don't know how this approach would work for wildcard certificates -
maybe it would need to look for "domain" and then "*.domain", or if
looking for "foo.domain.xyz" if could try "domain.xzy" if it exists on
the assumption it's a wildcard?
This is not critical for me as a letsencrypt SAN certificate will
probably work fine, but I like to keep my options open :)
Cheers,
-J
_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
