SSL server_name support, single server block plain/SSL, et al in 0.8.x ?

merlin corey merlincorey at dc949.org
Mon Jul 13 11:17:02 MSD 2009


Hello,

I had a long chat with a user in the IRC channel about SSL in nginx.
Initially, it started out talking about hosting multiple domains with
SSL on the same address.  They pointed me to
http://tools.ietf.org/html/rfc4366#section-3.1 which seems fairly
straightforward and I am curious if there is interest in this or if
Igor plans to implement it at some point in future anyway.

Also, through talking with him, he showed me his idea for how the SSL
support should work.  It went more or less like this:

ssl_certificate      /etc/ssl/custom/supercatchall.crt;
ssl_certificate_key  /etc/ssl/custom/supercatchall.key;
server {
  listen 80;
  listen 443;	
  if(port = 443) {
    ssl on;
  }
  ... normal server config ...
}
... repeated for several servers apparently on same IP ...

I tried to talk him out of using if and using a separate server block
for 443 and 80 ports for each server, and just including common
configuration.  Apparently, this does not currently work, but it seems
it should be more or less usable, I think he was having problems with
using default ssl in the listen line and NginX would not bind multiple
times.  At any rate, he also complained about the "roundabout
redundancy" of the config.  That got me to thinking, would something
like the following be desirable, and how difficult to implement would
it be?

server {
  listen 80;
  listen 443;
  ssl on 443;
  ... normal server config ...
}

My gut instinct tells me this would be a lot more work than simply
allowing multiple SSL hosts per IP address, but it does seem to have a
nice ring to it, this late in the day.

So to summarize, I am curious if 0.8.x is planned to support multiple
SSL hosts per IP, if that feature is even desired by anyone (or maybe
other ways to do it, in case I see this problem again!), and finally
anyone and everyone's thoughts on the above syntax to unify config for
SSL and non SSL (you could still use separate blocks if the
configuration is not exactly the same for plain and SSL, of course).

Thanks,
Merlin





More information about the nginx mailing list