Wrong Vhost being followed when using SSL
mike
mike503 at gmail.com
Sun Jan 11 23:15:17 MSK 2009
On Sun, Jan 11, 2009 at 6:29 AM, James Riley <lists at ruby-forum.com> wrote:
> * For the domains on port 443, why are they following the first server
> block that is listening to that port, ignoring the fact that the domain
> is not listen in 'server_name'?
I had the same issue; although I thought it was due to maybe the load
balancing in front of my server. I thought name-based SSL was usable
by now, and I thought I had my cert wrong :)
When looking at the nginx debug log, it seems to negotiate the SSL
conversation first, and then it gets the Host: header after. So it
made sense. however, to get the SSL conversation properly processed it
has to be the right SSL cert; typically SSL requires one IP per cert,
but I believe you can do name-based SSL now. However I don't think
it's supported enough...
"Server Name Indication (SNI), as described in section 3.1 of the
RFC3546, is a TLS extension which makes the configuration of
SSL-enabled name-based virtual hosts possible." [1]
It does appear that the SSL gods have wisened up - no more wasting
IPs, hopefully, and with a new protocol/extensions to existing ones it
may be possible. I haven't found out yet browser compatibility/etc,
and then of course I don't think nginx supports it yet. However, if it
does have wide compatibility, this would definately be something to
request for nginx (I could use it right now!)
[1] for example,
http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-hosts-with-mod_gnutls/
More information about the nginx
mailing list