TL;DR:
Any nginx setting to say 'if a vhost's ssl settings are broken, skip it and
don't fail to start' ?
I've certainly RTFM'd this and peered at the source, but I figured I might
as well throw it out there, in case there's some hidden setting I've missed.
I'm building a reverse proxy config for thousands of SSL virtual hosts, to
replace an apache solution.
It very often happens that someone in support will make a mistake with
regards to certs/keys. E.g. updating someone's SSL cert but actually
putting the CSR there instead.
In apache, since the config is being generated out of mod_perl, I can get
around this situation by having mod_perl do a modulus check on the cert and
key and skip the vhost if they don't match. In my case, I'd far prefer to
have a missing vhost and have the other 1000 sites working, than all down.
And, yes, I realize in default apache, it'd just fail to load. And also,
yes, I realize asking something to ignore broken configs is a bit
non-standard :)
Since I don't have mod_perl at my fingertips in nginx to perform a similar
trick, the startup will just fail.
So I was curious if there's some obscure setting to tell nginx "if a vhost
fails to loads its cert properly (or potentially any other vhost setting),
skip it and continue loading the rest"?
If such a thing did exist, I imagine that the configtest would have to turn
errors for that vhost into warnings as well.
My guess is obviously 'no', but I figured asking woud only cost me the time
it takes to compose an email.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Any nginx setting to say 'if a vhost's ssl settings are broken, skip it and
don't fail to start' ?
I've certainly RTFM'd this and peered at the source, but I figured I might
as well throw it out there, in case there's some hidden setting I've missed.
I'm building a reverse proxy config for thousands of SSL virtual hosts, to
replace an apache solution.
It very often happens that someone in support will make a mistake with
regards to certs/keys. E.g. updating someone's SSL cert but actually
putting the CSR there instead.
In apache, since the config is being generated out of mod_perl, I can get
around this situation by having mod_perl do a modulus check on the cert and
key and skip the vhost if they don't match. In my case, I'd far prefer to
have a missing vhost and have the other 1000 sites working, than all down.
And, yes, I realize in default apache, it'd just fail to load. And also,
yes, I realize asking something to ignore broken configs is a bit
non-standard :)
Since I don't have mod_perl at my fingertips in nginx to perform a similar
trick, the startup will just fail.
So I was curious if there's some obscure setting to tell nginx "if a vhost
fails to loads its cert properly (or potentially any other vhost setting),
skip it and continue loading the rest"?
If such a thing did exist, I imagine that the configtest would have to turn
errors for that vhost into warnings as well.
My guess is obviously 'no', but I figured asking woud only cost me the time
it takes to compose an email.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx