SSL server_name support, single server block plain/SSL, et al in 0.8.x ?

merlin corey merlincorey at dc949.org
Tue Jul 14 04:41:12 MSD 2009


2009/7/13 Igor Sysoev <is at rambler-co.ru>:
> On Mon, Jul 13, 2009 at 12:17:02AM -0700, merlin corey wrote:
>
>> Hello,
>>
>> I had a long chat with a user in the IRC channel about SSL in nginx.
>> Initially, it started out talking about hosting multiple domains with
>> SSL on the same address.  They pointed me to
>> http://tools.ietf.org/html/rfc4366#section-3.1 which seems fairly
>> straightforward and I am curious if there is interest in this or if
>> Igor plans to implement it at some point in future anyway.
>
> nginx supports SNI since 0.5.23. You just need OpenSSL built with
> SNI support. The main issue, however, are browsers: MSIE 6 and Windows XP
> do not support SNI and MSIE 6 is still in use:
> http://weblogs.mozillazine.org/asa/archives/2009/07/internet_explorer_6.html
>
>> Also, through talking with him, he showed me his idea for how the SSL
>> support should work.  It went more or less like this:
>>
>> ssl_certificate      /etc/ssl/custom/supercatchall.crt;
>> ssl_certificate_key  /etc/ssl/custom/supercatchall.key;
>> server {
>>   listen 80;
>>   listen 443;
>>   if(port = 443) {
>>     ssl on;
>>   }
>>   ... normal server config ...
>> }
>> ... repeated for several servers apparently on same IP ...
>>
>> I tried to talk him out of using if and using a separate server block
>> for 443 and 80 ports for each server, and just including common
>> configuration.  Apparently, this does not currently work, but it seems
>> it should be more or less usable, I think he was having problems with
>> using default ssl in the listen line and NginX would not bind multiple
>> times.  At any rate, he also complained about the "roundabout
>> redundancy" of the config.  That got me to thinking, would something
>> like the following be desirable, and how difficult to implement would
>> it be?
>>
>> server {
>>   listen 80;
>>   listen 443;
>>   ssl on 443;
>>   ... normal server config ...
>> }
>>
>> My gut instinct tells me this would be a lot more work than simply
>> allowing multiple SSL hosts per IP address, but it does seem to have a
>> nice ring to it, this late in the day.
>>
>> So to summarize, I am curious if 0.8.x is planned to support multiple
>> SSL hosts per IP, if that feature is even desired by anyone (or maybe
>> other ways to do it, in case I see this problem again!), and finally
>> anyone and everyone's thoughts on the above syntax to unify config for
>> SSL and non SSL (you could still use separate blocks if the
>> configuration is not exactly the same for plain and SSL, of course).

> Since 0.7.14 you can use:
>
>    server {
>       listen 80;
>       listen 443 default ssl;
>       ...
>
Ah perfect, I was ignorant of this change and I see it is already on
the English wiki so I have no excuse really for missing it.  Goodbye
ssl on blah blah; I knew there had to be an easier way :D.  Thanks,
Igor and Denis.

Almir, I'm very aware that you don't need ifs, thank you; I head the
get rid of if's in nginx configurations campaign on IRC :D.

As to this multiple SSL domains on a single IP thing...  I guess I may
as well describe what he was trying to do.  I am not sure if it fits
into SNI, but I will check it out and tell him about it as well.
Basically, he wants to have a bunch of different subdomains on the
same IP to have their own SSL certs and for some reason he does not
want to use wildcard certificates or different ports or anything...
he wants to just have it work, and it doesn't allow it.  I'm not quite
sure what to tell him, aside from what I already have.

Thanks again,
Merlin





More information about the nginx mailing list