How to force SNI only connections, or have a fallback non-SNI server?

Igor Sysoev igor at
Wed Jul 14 11:30:14 MSD 2010

On Tue, Jul 13, 2010 at 04:58:16PM -0300, Tiago Freire wrote:

> Hi,
> I have heard about nginx before, and I am now considering to use it for
> several reasons, perfomance is one of them.
> I have to put several servers with EV certificates behind a single IP
> though, and I noticed nginx supports SNI.
> I know that not all browsers support SNI, but we are developing web
> applications where we can give ourselves the luxury of being a bit picky
> about browser support.
> What was not clear in the documentation was: does enabling SNI support
> forces all connections to be SNI, or old browsers will still 'work'?
> I understood that old browsers would only be able to go to the default
> server.
> If running with SNI still accepts old browsers, is there a configuration
> option to force SNI-only connections?
> Otherwise, is there any way to segregate SNI and non-SNI connections and
> send them to different servers?

Regardless of server SNI support, old browsers get always certificate
of default server and they complain if a server name does not match
a certificate's server name. Theoretically after this you may redirect
them to an other server, but it's too late from user point of view.

Igor Sysoev

More information about the nginx mailing list