On 9 January 2014 16:28, Larry <nginx-fo...@nginx.us> wrote: > I would like to be able to "load" the right cert according to the cookie set > and request uri. > A sort of dynamic setting. > So, what is the workaround I could use to avoid creating one file per new > (self-signed)certificate issued ?
Your problem is that, irrespective of Nginx's feelings about using a variable in the ssl_certificate directive, what you're trying to configure is a HTTP/SSL layering violation. The information you want to use to choose the correct cert is communicated inside the HTTP request (usually people ask about using the Host header; you're asking here about cookies). But this information is not available to the SSL libraries until /after/ the SSL channel has been set up - which can't be done until a cert has been selected. It's a catch-22 situation. SNI /can/ help with this, as it transmits the host header in the clear during SSL negotiation, but client support can prove limited (browsers on XP, IIRC, don't support it). I'm not sure, but I don't believe SNI communicates enough extra information (cookies and/or request paths) for you to achieve what you want to here. The usual suggestion for this situation is either to seperate out sites, one per IP; or to look at wildcard certs or UCC/SaN certs. You've mentioned self-signed certs, which suggests you may have some control over the clients root CAs - is this the case? You could perhaps automate UCC/SaN cert issuance based on your current whitelist of unrevoked certs ... tl;dr Buy some IPv4 space and use an IP per subdomain. Jonathan _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
