#1 2023-02-09 17:01:48

suoke
Member
Registered: 2023-02-09
Posts: 8
Website

How to convert the SSL configuration file in NGINX mode to ...

How to convert the SSL configuration file in NGINX mode to the mORMot2-master\ex\ThirdPartyDemos\tbo\05-WebMustache?


NGINX SSL LIKE
www.domainname.com.crt
www.domainname.com.key

    server {
        listen       50808;
        server_name  www.domainname.com;

        ssl on;
        ssl_certificate ./www.domainname.com.crt;
        ssl_certificate_key ./www.domainname.com.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
        ssl_prefer_server_ciphers on;
       
        index index.html index.htm index.php; 
        error_page  405     =200 $uri;
        location / {
            add_header Access-Control-Allow-Origin *;
        }

    }

Offline

#2 2023-02-09 17:48:37

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,150
Website

Re: How to convert the SSL configuration file in NGINX mode to ...

You need to use OpenSSL to have full access to the mORMot server TLS layer.
Our SChannel/Windows APi layer is very limited.. because SChannel is more limited and more complex than OpenSSL for our purpose.

Then you can specify the needed parameters in the TNetTlsContext you supply to the mORMot HTTP server.
For instance, if you really need TLS1.0 and TLS1.1 - but they are unsafe and should be avoided - you can set AllowDeprecatedTls := true.
With a recent OpenSSL, you will have TLS 1.2 and TLS 1.3 available for mORMot.
Or you can change the certificate depending on the server/host name set during TLS negociation via OnAcceptServerName.
See TOpenSslNetTls.SetupCtx() for how the OpenSSL TLS context is initialized from TNetTlsContext fields.

You can even do a lot more than NGINX, like calling some code callback to validate each certificate if needed...

Offline

#3 2023-02-09 18:00:43

suoke
Member
Registered: 2023-02-09
Posts: 8
Website

Re: How to convert the SSL configuration file in NGINX mode to ...

Thank you very much!
It is recommended that you create a DEMO in your spare time that can implement SSL like NGINX. Users only need to reference *. crt and *. key~

Offline

Board footer

Powered by FluxBB