Last active
February 5, 2025 00:46
-
-
Save nginx-gists/c12bbe06965274de78a7b069ac10f24d to your computer and use it in GitHub Desktop.
Optimizing Resource Usage for Complex SSL Configurations in NGINX
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server { | |
| listen 443 ssl; | |
| ssl_certificate /etc/ssl/$ssl_server_name.crt; # Lazy load from SNI | |
| ssl_certificate_key /etc/ssl/$ssl_server_name.key; # ditto | |
| ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1; | |
| ssl_prefer_server_ciphers on; | |
| location / { | |
| proxy_set_header Host $host; | |
| proxy_pass http://my_backend; | |
| } | |
| } | |
| # vim: syntax=nginx |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| location /a { | |
| proxy_ssl_certificate client.crt; | |
| proxy_ssl_certificate_key client.key; | |
| proxy_ssl_trusted_certificate upstream-ca.pem; | |
| proxy_ssl_verify on; | |
| # ...other configuration | |
| proxy_pass https://example.com/; | |
| location /a/test { | |
| # no other proxy_ssl_ directives in this block; | |
| # the SSL context can be shared with the parent location | |
| proxy_ssl_name test.example.com; | |
| proxy_pass https://test.example.com/; | |
| } | |
| } | |
| # vim: syntax=nginx |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| map $ssl_server_name $current_upstream { | |
| hostnames; | |
| test.example.com u1; | |
| *.example.com u2; | |
| default u3; | |
| } | |
| server { | |
| listen 443 ssl; | |
| ssl_certificate /etc/ssl/$ssl_server_name.crt; | |
| ssl_certificate_key /etc/ssl/$ssl_server_name.key; | |
| ssl_certificate_cache max=64; | |
| location / { | |
| proxy_ssl_certificate /etc/ssl/auth/$current_upstream.crt; | |
| proxy_ssl_certificate_key /etc/ssl/auth/$current_upstream.key; | |
| proxy_ssl_certificate_cache max=6 inactive=20s valid=1m; | |
| proxy_pass https://$current_upstream/; | |
| location /nocache { | |
| proxy_ssl_certificate_cache off; | |
| } | |
| } | |
| } | |
| # vim: syntax=nginx |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| upstream test_upstream { ... } | |
| server { | |
| listen 127.0.0.1:8080; | |
| location /0 { | |
| proxy_ssl_certificate 0000.crt; | |
| proxy_ssl_certificate_key 0000.key; | |
| proxy_pass https://test_upstream/; | |
| } | |
| location /1 { | |
| proxy_ssl_certificate 0001.crt; | |
| proxy_ssl_certificate_key 0001.key; | |
| proxy_pass https://test_upstream/; | |
| } | |
| # locations /2 .. /9998 | |
| location /9999 { | |
| proxy_ssl_certificate 9999.crt; | |
| proxy_ssl_certificate_key 9999.key; | |
| proxy_pass https://test_upstream/; | |
| } | |
| } | |
| # vim: syntax=nginx |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment