Selection of secure virtual servers
Maxim Dounin
mdounin at mdounin.ru
Mon Nov 16 13:51:29 UTC 2015
Hello!
On Sun, Nov 15, 2015 at 12:51:56PM +0000, Francis Daly wrote:
> On Fri, Nov 13, 2015 at 03:37:28PM +0100, Joó Ádám wrote:
>
> Hi there,
>
> > I would like to terminate TLS connections arriving at the default
> > server, only serving requests with the correct host header, relying on
> > SNI.
>
> SSL is fiddly.
>
> The selection of which https server{} to use is not as straightforward
> as the selection of which http server{} to use.
>
> If you have one ssl server that you care about, and you do not know that
> everything involved works fully with SNI, the "simple" (but inelegant)
> approach might be to just have a single server{} block with ssl on for
> this ip:port, and use
>
> if ($host != "example.com") { return 444; }
>
> there.
There is no need to do this. With nginx server{} blocks
are selected twice: by SNI, and then by HTTP Host header. This
allows to happily use server{} blocks even when not using SNI.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list