Configure "Dynamic Routing Based On Redis" to use SSL
135 views
Skip to first unread message
Allan Moraes
Oct 27, 2016, 3:48:36 PM10/27/16
to openresty-en
Currently I use the dynamic routing to redirect the access to docker containers. Always http
Now what I need
When I access https://exemplo.com use certificate "A" and when I access https://exemplo.net use certificate "B", without a reload service.
Itamar Gilad
Oct 30, 2016, 4:35:47 AM10/30/16
to openre...@googlegroups.com
If I understand correctly, your setup uses a reverse proxy in front of the target servers (one reverse proxy used to access exemplo.com and exemplo.net from your example).
To handle ssl correctly, it is advised to do the ssl-termination at the reverse proxy (meaning that the proxy will require access to the certificates and will be the one negotiating the connection). If you really want to, you can do this without terminating the ssl session using ha-proxy, but I won't cover that here since I assume that's not what you meant.
If you have a static setup with a reasonable number of servers, you can just configure this manually and nginx will do most of the work - specify the server name in the site config file and listen for ssl connections and nginx will redirect the requests without the need for a balancer by lua.
If you need to support many different servers, look into the ssl_certificate_by_lua* directives. They let you know which server name was requested and specify the certificate and key to use in a very effective way.
Best regards,
-Itamar
--
You received this message because you are subscribed to the Google Groups "openresty-en" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openresty-en+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Best regards,
Itamar Gilad
CTO & co-founder, Metapacket
jona...@findmeon.com
Nov 7, 2016, 10:40:48 AM11/7/16
to openresty-en
If you have a small number of domains, you are better off changing the certificates and doing a reload. nginx does graceful reloads, so there isn't any downtime.
If you use the ssl_certificate_by_lua directives, then you have to write something to trigger a reload/change of the certificates, decide how long to cache them, how/where to cache them, etc. That is the *technical* directive to accomplish your goals, but it requires a lot of support work to implement correctly. You are almost always better off doing a graceful reload.
Timothy Gallagher
Dec 1, 2016, 1:45:46 PM12/1/16
to openresty-en
Have you looked at https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl.md ?
Reply all
Reply to author
Forward
0 new messages