BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News NGINX Plus Release 18 Available with Support for Dynamic Certificate Loading

NGINX Plus Release 18 Available with Support for Dynamic Certificate Loading

Bookmarks

NGINX has released version 18 (R18) of NGINX Plus, their all-in-one load balancer, content cache, and web server. This release includes support for dynamic certificate loading, enhancements to their OpenID Connect implementation, and the ability to specify port ranges for virtual servers.

With support for dynamic certificate loading, SSL/TLS certificates can now be loaded on demand without needing to list them explicitly in the configuration files. NGINX Plus can now dynamically load the correct certifications based on the hostname provided by Server Name Indication (SNI) during the TLS handshake. This permits hosting multiple secure websites under a single server configuration.

In previous versions of NGINX Plus, each secure hostname would need its own server block in the configuration, statically specifying the certification and private key as files on disk. This also meant having to reload the configuration when adding new hostnames.

With this new feature, it is now possible to only have one server block in the configuration to securely host any number of sites:

server {
   listen 443 ssl;

   ssl_certificate      /etc/ssl/$ssl_server_name.crt; # Lazy load from SNI   
   ssl_certificate_key  /etc/ssl/$ssl_server_name.key; # ditto                    
   ssl_protocols        TLSv1.3 TLSv1.2 TLSv1.1;
   ssl_prefer_server_ciphers on;

   location / {
       proxy_set_header Host $host;
       proxy_pass http://my_backend;
   }
}

With this setup, the certificates will be lazy-loaded from disk as needed based on the value of the $ssl_server_name variable. The certificate and key will then be cached in memory in the filesystem cache. Any variable can be used there as long as its value is available during SNI (which happens before the request line and headers are read).

It is also possible to store SSL/TLS certificate data in memory (within the key-value store) instead of as files on disk. This allows for certificates to be programmatically installed via the Plus API. NGINX recommends this for either clustered deployments of Plus, as the certificate data will only need to be uploaded once for automatic propagation to occur, or for automating integrations with certificates issuers such as Hashicorp Vault.

In both cases, a performance penalty will be incurred during the initial certificate loading. The certificate loading process only occurs during the TLS handshake, once the session is established the request processing will occur normally. According to NGINX, this penalty will cause the initial TLS handshake take 20 - 30% longer.

This release also includes improvements to the active health checks functionality. This release introduces the require directive to allow for testing the value of any variable, including both standard and user-defined variables. The require directive inside a match block permits checking that one or more variables must have a non-zero value for the test to pass.

Further improvements to health checks include allowing for termination of Layer 4 connections using the proxy_session_drop directive. Previously, it was possible for established clients to experience a timeout if the server they were connected to was unhealthy. This was because the backend server health status was previously only considered when a new client attempted to establish a connection. The new proxy_session_drop directive will allow the connection to be immediately closed. With this directive enabled, a termination of connections can also be triggered by a failure of an active health check or the removal of the server from the upstream group (e.g. removal through DNS lookup).

Other features available in this release include:

  • OpenID Connect implementation now has support for opaque session tokens, refresh tokens, and a logout URL
  • NGINX Plus servers can now be configured to listen on a range of ports (i.e. 80-90)
  • Key-value pairs can now be created directly with variables in configuration

For more details and additional features included in this release, please review the official announcement on the NGINX blog. NGINX Plus can be trialed as part of the NGINX Application Platform.

Rate this Article

Adoption
Style

BT