The SSL module is enhanced with pass-phase dialog support, which is very similar to Apache's SSLPassPhraseDialog.


Syntax: ssl_pass_phrase_dialog [builtin | exec:/path/to/exec]
Default: ssl_pass_phrase_dialog builtin
Context: http, server

Specify the method to fetch the encrypted private key file.

It's very similar to Apache's SSLPassPhraseDialog:

  • builtin
    This is the default where an interactive terminal dialog occurs at startup time just before Nginx detaches from the terminal. Here the administrator needs to manually enter the pass-phrase for each encrypted private key file.
  • exec:/path/to/exec
    Here an external program is configured which is called at startup for each encrypted private key file.
    It is called with two arguments (the first is of the form "servername:portnumber", the second is either "RSA" or "DSA"), which indicate for which server and algorithm it has to print the corresponding pass-phrase to stdout. The intent is that this external program first runs security checks to make sure that the system is not compromised by an attacker, and only when these checks were passed successfully it provides the pass-phrase.