SNI and certs.

Thu Dec 1 21:33:02 UTC 2016

On Nov 30, 2016, at 5:09 PM, steve wrote:

> Well, no as I've fixed this. However, if you have a probe for site x on https: and it doesn't exist, then the default https site for that IP address will be returned. Depending on configuration, it may still be attributed to the original search domain. I don't understand why people keep trying to shoot me down on this!

This isn't describing a problem with search engines -- you mis-configured nginx, and it is serving content for the default site on both an IP address and domain because you don't have a failover properly configured.

Adding certificates to other domains won't solve this, because you don't have a default behavior.

Stop serving content on the IP address, and you won't have a problem anymore.  

Create an initial default server for failover on the ip address, and have it 400 everything.  Do it for http and https.   For https you can use a self-signed cert; it doesn't matter as you only need to be a valid protocol.

    # failover http server
	server {
			 listen 80 default_server;
			 server_name _;
			 location / { return 400 "redirect expected\n"; }
	}
    # failover https server
	server {
			 listen 443 default_server;
			 server_name _;
			 location / { return 400 "redirect expected\n"; }

			 ssl on;
			# a self-signed cert is fine here
	}

    # configured servers
	server {
			 listen 80;
			 server_name example.com;
			 location / { return 200 "ok\n"; }
	}

	server {
			listen 443;
			server_name example.com;
			location / { return 200 "ok\n"; }

			 ssl  on;
			// your cert here
    }

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20161201/91373704/attachment.html>