Host header and SSL

[Kamil Gorlo]

On Fri, Feb 17, 2012 at 1:06 AM, Edho Arief <edho at myconan.net> wrote:
> On Fri, Feb 17, 2012 at 6:18 AM, Kamil Gorlo <kgs4242 at gmail.com> wrote:
>>
>> server {
>>  listen IP1:80 default_server;
>>  listen IP2:80 default_server;
>>  serrver_name _;
>>  return 444;
>> }
>>
>> But this technique simply does not work for SSL. As far I understand
>> correctly there are two techniques to cope with my problem (to prevent
>> https request with non-matching Host header to be served):
>>
>
> It should work (at least passes `nginx -t` in my test).

You mean soultion no. 1 (the one with if in server block, which you -
maybe accidentally - cut off)?

>>
>> 2. using catch-all but slightly more complicated and weird:
>>
>> server {
>>  listen IP3:443 ssl;
>>  server_name some_host.com;
>>
>>  (no ssl_certificate section - it is in catch-all block)
>>
>>  location / {
>>    ...
>>    proxy_set_header Host $host; // safe because of catch-all below
>>  }
>> }
>>
>> server {
>>  listen IP3:443 ssl default_server;
>>  server_name _;
>>
>>  ssl_certificate...
>>
>>  return 444;
>> }
>>
>
> Nothing weird or complicated in this one. It's the preferred method
> but you need to specify ssl_certificate parameters on each server
> blocks. I'm not sure how it behaves on non-SNI environment though.

By writing 'weird' I meant that ssl configuration is not in one place
(in the server_name with corresponding server_name) but instead in
some weird 'server_name _' block which maybe confusing for some
non-experienced Nginx config writers :P

Performance wisely - is 1 and 3 imperceptible?

> Alternatively you can force passing some_host.com as the Host header
> to your proxy:
>
> proxy_set_header Host some_host.com
>

No, this is not exactly what I want because:
 a) it does not work when I have server_name like *.some_host.com (of
course in combination with some wildcard certificate)
 b) it tells backend that user came with some_host.com which is not true

Thanks for your help.

Cheers,

-- 
Kamil