How to force SNI only connections, or have a fallback non-SNI server?
tiago.freire at gmail.com
Wed Jul 14 20:17:57 MSD 2010
I was hoping that there would be a configuration option on nginx to either:
1) give a 403 error - or whatever error is best fit - when it detects
non-SNI SSL handshake; or
2) redirect non-SNI SSL handshake traffic to a different virtual server.
Is this list the best place to suggest nginx features?
On Wed, Jul 14, 2010 at 4:30 AM, Igor Sysoev <igor at sysoev.ru> wrote:
> On Tue, Jul 13, 2010 at 04:58:16PM -0300, Tiago Freire wrote:
> > Hi,
> > I have heard about nginx before, and I am now considering to use it for
> > several reasons, perfomance is one of them.
> > I have to put several servers with EV certificates behind a single IP
> > though, and I noticed nginx supports SNI.
> > I know that not all browsers support SNI, but we are developing web
> > applications where we can give ourselves the luxury of being a bit picky
> > about browser support.
> > What was not clear in the documentation was: does enabling SNI support
> > forces all connections to be SNI, or old browsers will still 'work'?
> > I understood that old browsers would only be able to go to the default
> > server.
> > If running with SNI still accepts old browsers, is there a configuration
> > option to force SNI-only connections?
> > Otherwise, is there any way to segregate SNI and non-SNI connections and
> > send them to different servers?
> Regardless of server SNI support, old browsers get always certificate
> of default server and they complain if a server name does not match
> a certificate's server name. Theoretically after this you may redirect
> them to an other server, but it's too late from user point of view.
> Igor Sysoev
> nginx mailing list
> nginx at nginx.org
Tiago Mikhael Pastorello Freire a.k.a. Brazilian Joe
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nginx