OpenResty (Nginx) with dynamically generated certificates

“Dynamically generated certificates can be used as a solution for web inspection (on both url and content) and blocking (for example deny executable downloads, deny uploads, deny certain urls, or specific content) secured connections. Each connection will be proxied through Nginx, and such the default nginx content filtering capabilities can be used.

On each https request the lua code will check if the certificate has been generated before already. If not, it will generate a new private key, create a certificate signing request, and sign the certificate with the defined certificate authority. The certificate authority needs to be trusted by the client browser. The generation of the certificate is guarded by a lock on the commonname, to prevent conditions when generating multiple certificates for the same commonname at the same time.

This solution builds on the work of @agentzh, one of the developers of OpenResty. The ssl-cert-by-lua branch of the lua-nginx-module enables you to use SSL functions from lua…”