sxg_certificate
The `sxg_certificate` directive specifies the path to the certificate file required for generating Signed HTTP Exchanges (SXGs).
Описание
The sxg_certificate directive is crucial for enabling Signed HTTP Exchange (SXG) support in NGINX. This directive should be placed within a server block and requires a valid full path to a certificate file. The certificate must possess the CanSignHttpExchanges extension, which indicates its capability to sign HTTP exchanges, and it must utilize ECDSA256 or ECDSA384 cryptographic algorithms. This directive, alongside others like sxg_certificate_key, sxg_cert_url, and sxg_validity_url, is essential for NGINX to correctly generate SXG responses based on incoming requests that include the Accept: application/signed-exchange;v=b3 header configuration.
When properly configured, NGINX uses the certificate specified by sxg_certificate to sign the exchanged payloads, ensuring their validity and integrity. This process involves leveraging a private key, also defined by the sxg_certificate_key directive, allowing NGINX to create cryptographic signatures linked to the SXG responses. It is important that the file specified is accessible to the NGINX server process and meets the security requirements for signing SXGs, thus ensuring that the resultant signed exchanges are trusted by clients and adhere to web standards.
Пример конфига
server {
listen 80;
server_name example.com;
sxg_certificate /path/to/certificate.pem;
sxg_certificate_key /path/to/private.key;
sxg_cert_url https://example.com/cert.cbor;
sxg_validity_url https://example.com/validity.json;
}Ensure the certificate file has the CanSignHttpExchanges extension; otherwise, SXG generation will fail.
The certificate file and the private key must match; mismatched keys will cause signing errors.
The specified path must be accessible by the NGINX user, or it will lead to permission errors.