How to force SNI only connections, or have a fallback non-SNI server?
igor at sysoev.ru
Wed Jul 14 11:30:14 MSD 2010
On Tue, Jul 13, 2010 at 04:58:16PM -0300, Tiago Freire wrote:
> I have heard about nginx before, and I am now considering to use it for
> several reasons, perfomance is one of them.
> I have to put several servers with EV certificates behind a single IP
> though, and I noticed nginx supports SNI.
> I know that not all browsers support SNI, but we are developing web
> applications where we can give ourselves the luxury of being a bit picky
> about browser support.
> What was not clear in the documentation was: does enabling SNI support
> forces all connections to be SNI, or old browsers will still 'work'?
> I understood that old browsers would only be able to go to the default
> If running with SNI still accepts old browsers, is there a configuration
> option to force SNI-only connections?
> Otherwise, is there any way to segregate SNI and non-SNI connections and
> send them to different servers?
Regardless of server SNI support, old browsers get always certificate
of default server and they complain if a server name does not match
a certificate's server name. Theoretically after this you may redirect
them to an other server, but it's too late from user point of view.
More information about the nginx