cert handling on redirect of https subdomains

Igor Sysoev is at rambler-co.ru
Wed Sep 10 08:42:41 MSD 2008


On Wed, Sep 10, 2008 at 03:59:31AM +0000, Martian Alien wrote:

> Note that the base domain (example.com) redirects fine to WWW (www.example.com).  Then adding a 2nd subdomain, API (api.example.com), returns the WWW certificate rather than the API one and flags a trust concern in most browsers.  Tried a listen field with both api.example.com:443 and the local interface 127.0.0.1:443, all fail in the same way.  Redirect works fine except it returns the incorrect SSL certiicate.
> 
>   server {
>     listen api.example.com:443;
>     server_name  api.example.com api;
> 
>     ssl on;
>     ssl_certificate /opt/local/nginx/certs/api.example.com.crt; 
>     ssl_certificate_key /opt/local/nginx/certs/api.example.com.key; 
> 
>     rewrite ^/(.*) https://www.example.com/$1 permanent;
>   }
> 
>   server {
>     listen api.example.com:80;
>     server_name  api.example.com api;
>     rewrite ^/(.*) http://www.example.com/$1 permanent;
>   }
> 
> Thanks again for looking into this concern,

Is api.example.com the same IP address as www.example.com ?

> > Date: Tue, 9 Sep 2008 10:22:15 +0400
> > From: is at rambler-co.ru
> > To: nginx at sysoev.ru
> > Subject: Re: cert handling on redirect of https subdomains
> > 
> > On Tue, Sep 09, 2008 at 05:51:04AM +0000, Martian Alien wrote:
> > 
> > > Hi Nginx Group,
> > > 
> > > Just wanted to start off by saying nginx is a rad web server!  Na zdrowie!
> > > 
> > > So we've noticed some issues with setting up https ssl certificates over multiple subdomains.
> > > 
> > > The base domain (example.com) and the first subdomain (www.example.com) work beautifully:
> > > 
> > >   server {
> > >     listen www.example.com:443 default;
> > >     server_name www.example.com;
> > > 
> > >     ssl on;
> > >     ssl_certificate /opt/local/nginx/certs/www.example.com.crt; 
> > >     ssl_certificate_key /opt/local/nginx/certs/www.example.com.key; 
> > > 
> > >     location / {
> > >       # ...
> > >     }
> > >   }
> > > 
> > >   server {
> > > 
> > >     listen www.example.com:80 default;
> > > 
> > >     server_name www.example.com;
> > >     location / {
> > > 
> > >       # ...
> > > 
> > >     }
> > > 
> > >   }
> > > 
> > > 
> > >   server {
> > >     listen example.com:443;
> > >     server_name  example.com;
> > > 
> > >     ssl on;
> > >     ssl_certificate /opt/local/nginx/certs/example.com.crt; 
> > >     ssl_certificate_key /opt/local/nginx/certs/example.com.key; 
> > > 
> > >     rewrite ^/(.*) https://www.example.com/$1 permanent;
> > >   }
> > > 
> > >   server {
> > >     server_name  example.com;
> > >     rewrite ^/(.*) http://www.example.com/$1 permanent;
> > >   }
> > > 
> > > NOW, If the following is added, the correct SSL cert for api.example.com is not loaded before the redirect, the www.example.com cert is loaded instead:
> > > 
> > >   server {
> > >     listen 127.0.0.1:443;
> > >     server_name  api.example.com api;
> > > 
> > >     ssl on;
> > >     ssl_certificate /opt/local/nginx/certs/api.example.com.crt; 
> > >     ssl_certificate_key /opt/local/nginx/certs/api.example.com.key; 
> > > 
> > >     rewrite ^/(.*) https://www.example.com/$1 permanent;
> > >   }
> > > 
> > >   server {
> > >     listen 127.0.0.1:80;
> > >     server_name  api.example.com api;
> > >     rewrite ^/(.*) http://www.example.com/$1 permanent;
> > >   }
> > > 
> > > 
> > > Any ideas on how,  to setup multiple SSL / HTTPS subdomains, each with their own cert in nginx?
> > > 
> > > I've tried many conf variants.  At this point, I'm suspecting it is a bug in nginx, but how would that be possible. =)
> > 
> > 127.0.0.1 is loopback interface, do you connect to it from outside ?
> > 
> > 
> > -- 
> > Igor Sysoev
> > http://sysoev.ru/en/
> > 
> 
> _________________________________________________________________
> See how Windows Mobile brings your life together?at home, work, or on the go.
> http://clk.atdmt.com/MRT/go/msnnkwxp1020093182mrt/direct/01/

-- 
Igor Sysoev
http://sysoev.ru/en/





More information about the nginx mailing list