cert handling on redirect of https subdomains

Chris Savery chrissavery at gmail.com
Wed Sep 10 08:31:59 MSD 2008


I have also noticed some unusual behaviour with ssl server configs. I 
found that some items put in http were better to be put again in the 
server section. In particular, I found that if fastcgi_params was 
"included" in http (and worked fine with non-ssl sections) then inside 
an ssl server it would cross post values from one domain to another. I 
fixed it by including the fastcgi_params again inside the ssl server. I 
have no idea why that worked or why it wouldn't behave as expected in 
the first place but you may try something similar to see if it helps.
Chris :)

Martian Alien wrote:
> Note that the base domain (example.com) redirects fine to WWW 
> (www.example.com).  Then adding a 2nd subdomain, API 
> (api.example.com), returns the WWW certificate rather than the API one 
> and flags a trust concern in most browsers.  Tried a listen field with 
> both api.example.com:443 and the local interface 127.0.0.1:443, all 
> fail in the same way.  Redirect works fine except it returns the 
> incorrect SSL certiicate.
>
>   server {
>     listen api.example.com:443;
>     server_name  api.example.com api;
>
>     ssl on;
>     ssl_certificate /opt/local/nginx/certs/api.example.com.crt;
>     ssl_certificate_key /opt/local/nginx/certs/api.example.com.key;
>
>     rewrite ^/(.*) https://www.example.com/$1 permanent;
>   }
>
>   server {
>     listen api.example.com:80;
>     server_name  api.example.com api;
>     rewrite ^/(.*) http://www.example.com/$1 permanent;
>   }
>
> Thanks again for looking into this concern,
> Martian
>
> ------------------------------------------------------------------------
> > Date: Tue, 9 Sep 2008 10:22:15 +0400
> > From: is at rambler-co.ru
> > To: nginx at sysoev.ru
> > Subject: Re: cert handling on redirect of https subdomains
> >
> > On Tue, Sep 09, 2008 at 05:51:04AM +0000, Martian Alien wrote:
> >
> > > Hi Nginx Group,
> > >
> > > Just wanted to start off by saying nginx is a rad web server! Na 
> zdrowie!
> > >
> > > So we've noticed some issues with setting up https ssl 
> certificates over multiple subdomains.
> > >
> > > The base domain (example.com) and the first subdomain 
> (www.example.com) work beautifully:
> > >
> > > server {
> > > listen www.example.com:443 default;
> > > server_name www.example.com;
> > >
> > > ssl on;
> > > ssl_certificate /opt/local/nginx/certs/www.example.com.crt;
> > > ssl_certificate_key /opt/local/nginx/certs/www.example.com.key;
> > >
> > > location / {
> > > # ...
> > > }
> > > }
> > >
> > > server {
> > >
> > > listen www.example.com:80 default;
> > >
> > > server_name www.example.com;
> > > location / {
> > >
> > > # ...
> > >
> > > }
> > >
> > > }
> > >
> > >
> > > server {
> > > listen example.com:443;
> > > server_name example.com;
> > >
> > > ssl on;
> > > ssl_certificate /opt/local/nginx/certs/example.com.crt;
> > > ssl_certificate_key /opt/local/nginx/certs/example.com.key;
> > >
> > > rewrite ^/(.*) https://www.example.com/$1 permanent;
> > > }
> > >
> > > server {
> > > server_name example.com;
> > > rewrite ^/(.*) http://www.example.com/$1 permanent;
> > > }
> > >
> > > NOW, If the following is added, the correct SSL cert for 
> api.example.com is not loaded before the redirect, the www.example.com 
> cert is loaded instead:
> > >
> > > server {
> > > listen 127.0.0.1:443;
> > > server_name api.example.com api;
> > >
> > > ssl on;
> > > ssl_certificate /opt/local/nginx/certs/api.example.com.crt;
> > > ssl_certificate_key /opt/local/nginx/certs/api.example.com.key;
> > >
> > > rewrite ^/(.*) https://www.example.com/$1 permanent;
> > > }
> > >
> > > server {
> > > listen 127.0.0.1:80;
> > > server_name api.example.com api;
> > > rewrite ^/(.*) http://www.example.com/$1 permanent;
> > > }
> > >
> > >
> > > Any ideas on how, to setup multiple SSL / HTTPS subdomains, each 
> with their own cert in nginx?
> > >
> > > I've tried many conf variants. At this point, I'm suspecting it is 
> a bug in nginx, but how would that be possible. =)
> >
> > 127.0.0.1 is loopback interface, do you connect to it from outside ?
> >
> >
> > --
> > Igor Sysoev
> > http://sysoev.ru/en/
> >
>
> ------------------------------------------------------------------------
> See how Windows Mobile brings your life together—at home, work, or on 
> the go. See Now 
> <http://clk.atdmt.com/MRT/go/msnnkwxp1020093182mrt/direct/01/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nginx.org/pipermail/nginx/attachments/20080910/f0d16a7a/attachment.html>


More information about the nginx mailing list