Hello! On Tue, Jul 5, 2016 at 11:57 PM, Christian Rohmann wrote: > On 07/04/2016 12:31 PM, Sushma wrote: >> Or is there a way, nginx will be able to dynamically figure out the cert to >> be presented without it being explicitly mentioned via the directive >> ssl_certificate? > > After some research not statically by configuration. But using a bit of > lua could offer a way to maybe make this happen. Something like: > https://litespeed.io/dynamic-tls-certificates-with-openresty-and-ssl_certificate_by_lua/ >
Aye. CloudFlare, for example, has been using ssl_certificate_by_lua* with the ngx.ssl Lua module to lazily load a *lot* of SSL certificates and private keys from remote services (via nonblocking IO) only on demand in its global SSL gateway network for long. With lazy loading and local caching (via lua_shared_dict and/or lua-resty-lrucache), the flexibility and performance can be both excellent. You can not only look up your SSL credentials via SNI, but also via the server IP address the client is accessing (for older SSL clients that do not support TLS SNI). The formal documentation for this feature is: https://github.com/openresty/lua-nginx-module/#ssl_certificate_by_lua_block https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl.md#readme Even dynamic OCSP stapling is supported ;) The easiest way to get everything setup is to use the OpenResty bundle BTW: http://openresty.org/en/ Have fun! Best regards, -agentzh _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx