AW: AW: SNI and certs.

Lukas Tribus luky-37 at hotmail.com
Tue Nov 29 08:28:41 UTC 2016


> > Any real life experience and evidence backing this?
> yes

Care to elaborate?



> Not sure why you're doubting me here Lukas. Yes, this is a problem. No 
> I'm not making it up.

We know that crawlers like Googlebot try HTTPS as well, even if there is no
https link towards the website. That is well known information and publicly
documented.

What I don't see is why and how that would be a problem, even when HTTPS
is not properly setup for that particular domain.

Does it cause warnings in the webmaster tools? Who cares?
Does it affect your ranking? I doubt it.
Does it index pages or error pages from the default website and assign to
your website? I doubt that even more.



> As such, an incorrect or missing cert will fail, and a missing 
> https server block will be handled by the default one ( or the one 
> alphabetically first if not set ).

So serving a 403 or returning 444 from the default block should be fine.



> it didn't occur to me that search engines would be attempting
> to force https.

Just because they attempt to use HTTPS doesn't mean the fail to handle
the case where HTTPS is not properly setup for this particular website.



The way to properly deal with this would be to abort the TLS handshake.
Haproxy can do this with the strict-sni directive, but nginx does not support
that.



Lukas




More information about the nginx mailing list