Defining a default server for when vhost does not exist for requested hostname (including blank hostname), for http and https
Ben Johnson
ben at indietorrent.org
Fri Mar 28 16:51:17 UTC 2014
On 3/28/2014 11:45 AM, Maxim Dounin wrote:
> Hello!
>
> On Fri, Mar 28, 2014 at 02:53:18PM +0000, Jonathan Matthews wrote:
>
>> On 28 March 2014 14:31, Ben Johnson <ben at indietorrent.org> wrote:
>>> Is there any way to av,oid this certificate being presented, but still
>>> return the 444 response under the conditions I've described?
>>
>> I'd /suspect/ not, as the 444 response can't be "delivered" (i.e. the
>> connection closed) until sufficient information has been passed over
>> the already-SSL-secured connection. In other words, the cert *has* to
>> be used to secure the channel over which the HTTP request will be
>> made, and only after its been made can the correct server{} block be
>> chosen and the response delivered - even if the response is simply to
>> close the connection.
>
> If SNI is used, it's in theory possible to close a connection
> early (during an SSL handshake, after ClientHello but
> before sending enything). The following tickets in trac are
> related:
>
> http://trac.nginx.org/nginx/ticket/195
> http://trac.nginx.org/nginx/ticket/214
>
Thanks for the input, Jonathan and Maxim.
Maxim, when you say, "If SNI is used, it's in theory possible to close a
connection early," do you mean to imply that while possible, this
capability has not yet been implemented in nginx (the tickets are still
open after almost two years)?
Thanks again,
-Ben
More information about the nginx
mailing list