Nginx SSL variables

March ~ 2019

Dynamic SSL configurations are now supported in Nginx (>1.15.9)!
Combined with LetsEncrypt you can easily get a webserver with minimal config, capable of renewing SSLs with no downtime or reloads.

Three things you need to know:

  1. You currently need to install the mainline version of Nginx
  2. Use $ssl_server_name instead of $server_name
  3. Give read-access to the certificates
server {
    listen 443 ssl http2;
    root /var/www;

    ssl_certificate /etc/letsencrypt/live/$ssl_server_name/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/$ssl_server_name/privkey.pem;
}

A minor performance hits is warned in the docs, so I decided to de a little benchmark using a dedicated DigitalOcean instance (2vCPU and 4GB ram):

Dynamic: ~607 trans/s
Static: ~959 trans/s

Using dynamic SSL paths is ~40% slower but might still be worth it in some scenarios.

Profile picture

Stefan Rasmussen (@okydk)

Full-stack developer and proud founder of grid.studio and F117.