Nginx 教程


Nginx功能概述 为什么选择Nginx Nginx安装 常见问题(FAQ) 配置符号参考 调试 nginx 优化 Nginx 运行和控制Nginx


Nginx事件模块 Nginx主模块


Browser模块 Charset模块 Geo模块 HttpAccess模块 HttpAuthBasic模块 HttpAutoindex模块 HttpEmptyGif模块 HttpFcgi模块 HttpGzip模块 HttpHeaders模块 HttpIndex模块 HttpIndex模块. HttpLimit zone HttpLimitReqest模块 HttpLog模块 HttpProxy模块 HttpRewrite模块 HttpSSI模块 HttpUserId http核心模块 map Memcached


Addition模块 EmbeddedPerl flv GooglePerftools HttpDav模块 HttpGeoIP HttpGzipStatic HttpImageFilter HttpRealIp HttpSecureLink HttpSSL HttpSubstitution HttpXSLT RandomIndex StubStatus模块


MailAuth MailCore MailProxy MailSSL


nginx php-fpm安装配置 nginx在fedora上的安装 nginx在freebsd上的安装 nginx在ubuntu上的安装 nginx在windows上的安装


HWLoadbalancerCheckErrors nginx防盗链 负载均衡 完整例子 完整例子2 虚拟主机


This module enables HTTPS support.

It supports checking client certificates with two limitations:

  • it is not possible to assign the list of the abolished certificates (revocation lists)
  • if you have a chain certificate file (sometimes called an intermediate certificate) you don't specify it separately like you do in Apache. Instead you need to add the information from the chain cert to the end of your main certificate file. This can be done by typing "cat chain.crt >>" on the command line. Once that is done you won't use the chain cert file for anything else, you just point Nginx to the main certificate file.

By default the module is not built, it is necessary to specify that it be built with with the --with-http_ssl_module parameter to ./configure. Building this module requires the OpenSSL libraries and include-files, often are the necessary files in separate packages.

The following is an example configuration, to reduce the CPU load it is recommended to run one worker process only and to enable keep-alive connections:

worker_processes 1;
http {

  server {
    listen               443;
    ssl                  on;
    ssl_certificate      /usr/local/nginx/conf/cert.pem;
    ssl_certificate_key  /usr/local/nginx/conf/cert.key;
    keepalive_timeout    70;


When using chain certificates, just append the extra certificates into your .crt file (cert.pem in the example). Your own certificate needs to be on top of the file, otherwise key get a mismatch with the key.

Generate Certificates

To generate dummy certficates you can do this steps:

$ cd /usr/local/nginx/conf
$ openssl genrsa -des3 -out server.key 1024
$ openssl req -new -key server.key -out server.csr
$ cp server.key
$ openssl rsa -in -out server.key
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt 

Configure the new certificate into nginx.conf:

server {

    server_name YOUR_DOMAINNAME_HERE;
    listen 443;
    ssl on;
    ssl_certificate /usr/local/nginx/conf/server.crt;
    ssl_certificate_key /usr/local/nginx/conf/server.key;


Restart Nginx.

Now all ready to access using:




syntax:*ssl [on|off]*

default:*ssl off*

context:*main, server*

Enables HTTPS for a server.


syntax:*ssl_certificate file*

default:*ssl_certificate cert.pem*

context:*main, server*

Indicates file with the certificate in PEM format for this virtual server. The same file can contain other certificates, and also secret key in PEM format. Since version 0.6.7 the file path is relative to directory of nginx configuration file nginx.conf, but not to nginx prefix directory.


syntax:*ssl_certificate_key file*

default:*ssl_certificate_key cert.pem*

context:*main, server*

Indicates file with the secret key in PEM format for this virtual server. Since version 0.6.7 the filename path is relative to directory of nginx configuration file nginx.conf, but not to nginx prefix directory.


syntax:*ssl_client_certificate file*


context:*main, server*

Indicates file with certificates CA in PEM format, utilized for checking the client certificates.


syntax:*ssl_dhparam file*


context:*main, server*

Indicates file with Diffie-Hellman parameters in PEM format, utilized for negotiating TLS session keys.


syntax:*ssl_ciphers file*

default:*ssl_ciphers ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP*

context:*main, server*

Directive describes the permitted ciphers. Ciphers are assigned in the formats supported by OpenSSL, for example:


Complete list can be looked with the following command:

 openssl ciphers 


syntax:*ssl_crl file*


context:*http, server*

This directive (0.8.7+) specifies a file with the revoked certificates (CRL) in the PEM, which is used to check for client certificates.


syntax:*ssl_prefer_server_ciphers [on|off]*

default:*ssl_prefer_server_ciphers off*

context:*main, server*

Requires protocols SSLv3 and TLSv1 server ciphers be preferred over the client's ciphers.


syntax:*ssl_protocols [SSLv2] [SSLv3] [TLSv1]*

default:*ssl_protocols SSLv2 SSLv3 TLSv1*

context:*main, server*

Directive enables the protocols indicated.


syntax:*ssl_verify_client on|off|ask*

default:*ssl_verify_client off*

context:*main, server*

Directive enables verifying client certificates. Parameter 'ask' checks a client certificate if it was offered.


syntax:*ssl_verify_depth number*

default:*ssl_verify_depth 1*

context:*main, server*

Sets depth checking in the chain of client certificates.


syntax:*ssl_session_cache off|none|builtin:size and/or shared:name:size*

default:*ssl_session_cache off*

context:*main, server*

The directive sets the types and sizes of caches to store the SSL sessions.
The cache types are:

  • off -- Hard off: nginx says explicitly to a client that sessions can not reused.
  • none -- Soft off: nginx says to a client that session can be resued, but nginx actually never reuses them. This is workaround for some mail clients as ssl_session_cache may be used in mail proxy as well as in HTTP server.
  • builtin -- the OpenSSL builtin cache, is used inside one worker process only. The cache size is assigned in the number of the sessions. Note: there appears to be a memory fragmentation issue using this method, please take that into consideration when using this. See "References" below.
  • shared -- the cache is shared between all worker processes. The size of cache is assigned in the bytes, 1 MB cache can contain about 4000 sessions. Each shared cache must have arbitrary name. Cache with the same name can be used in several virtual servers.

It is possible to use both types of cache simultaneously, for example:

 ssl_session_cache  builtin:1000  shared:SSL:10m; 

However, the only shared cache usage without that builtin should be more effective.


syntax:*ssl_session_timeout time*

default:*ssl_session_timeout 5m*

context:*main, server*

Assigns the time during which the client can repeatedly use the parameters of the session, which is stored in the cache.

This module supports several nonstandard error codes which can be used for debugging with the aid of directive error_page:

  • 495 - error checking client certificate
  • 496 - client did not grant the required certificate
  • 497 - normal request was sent to HTTPS

Debugging is done after the request is completely dismantled and are accessible via variables such as $request_uri, $uri, $arg and others. Built-in variables Module ngx_http_ssl_module supports several built-in variables:

  • $ssl_cipher returns the line of those utilized it is cipher for established SSL-connection
  • $ssl_client_serial returns the series number of client certificate for established SSL-connection
  • $ssl_client_s_dn returns line subject DN of client certificate for established SSL-connection
  • $ssl_client_i_dn returns line issuer DN of client certificate for established SSL-connection
  • $ssl_protocol returns the protocol of established SSL-connection



This allows specifying the OpenSSL engine to use, like Padlock for example. It requires a more recent version of OpenSSL.


Original DocumentationSSL Memory Fragmentation and new default status for ssl_session_cache