Nginx SSL variables

Dynamic SSL configurations are now supported in Nginx (>1.15.9)!
Combined with LetsEncrypt you can easily get a webserver with minimal config, capable of renewing SSLs with no downtime or reloads.

Three things you need to know:

  1. You currently need to install the mainline version of Nginx
  2. Use $ssl_server_name instead of $server_name
  3. Give read-access to the certificates
server {
	listen 443 ssl http2;
	root /var/www;

	ssl_certificate /etc/letsencrypt/live/$ssl_server_name/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/$ssl_server_name/privkey.pem;

A minor performance hits is warned in the docs, so I decided to de a little benchmark using a dedicated DigitalOcean instance (2vCPU and 4GB ram):

Dynamic: ~607 trans/s
Static: ~959 trans/s

Using dynamic SSL paths is ~40% slower but might still be worth it in some scenarios.

Profile picture

Stefan Rasmussen (@okydk)

Full-stack developer and founder of and F117.