SSL server_name support, single server block plain/SSL, et al in 0.8.x ?

Mon Jul 13 11:53:41 MSD 2009

You can't do multiple SSL hosts on an ip :-), as you can see on the
top of the document you linked to that is for TLS. Nginx already knows
SNI. IIRC the issue is if client supports SNI.

As for the if(), you don't need it:
http://serverfault.com/questions/10854/nginx-https-serving-with-same-config-as-http
:-)

python/django hacker & sys admin
http://almirkaric.com & http://twitter.com/redduck666

On Mon, Jul 13, 2009 at 12:17 AM, merlin corey<merlincorey at dc949.org> wrote:
> Hello,
>
> I had a long chat with a user in the IRC channel about SSL in nginx.
> Initially, it started out talking about hosting multiple domains with
> SSL on the same address.  They pointed me to
> http://tools.ietf.org/html/rfc4366#section-3.1 which seems fairly
> straightforward and I am curious if there is interest in this or if
> Igor plans to implement it at some point in future anyway.
>
> Also, through talking with him, he showed me his idea for how the SSL
> support should work.  It went more or less like this:
>
> ssl_certificate      /etc/ssl/custom/supercatchall.crt;
> ssl_certificate_key  /etc/ssl/custom/supercatchall.key;
> server {
>  listen 80;
>  listen 443;
>  if(port = 443) {
>    ssl on;
>  }
>  ... normal server config ...
> }
> ... repeated for several servers apparently on same IP ...
>
> I tried to talk him out of using if and using a separate server block
> for 443 and 80 ports for each server, and just including common
> configuration.  Apparently, this does not currently work, but it seems
> it should be more or less usable, I think he was having problems with
> using default ssl in the listen line and NginX would not bind multiple
> times.  At any rate, he also complained about the "roundabout
> redundancy" of the config.  That got me to thinking, would something
> like the following be desirable, and how difficult to implement would
> it be?
>
> server {
>  listen 80;
>  listen 443;
>  ssl on 443;
>  ... normal server config ...
> }
>
> My gut instinct tells me this would be a lot more work than simply
> allowing multiple SSL hosts per IP address, but it does seem to have a
> nice ring to it, this late in the day.
>
> So to summarize, I am curious if 0.8.x is planned to support multiple
> SSL hosts per IP, if that feature is even desired by anyone (or maybe
> other ways to do it, in case I see this problem again!), and finally
> anyone and everyone's thoughts on the above syntax to unify config for
> SSL and non SSL (you could still use separate blocks if the
> configuration is not exactly the same for plain and SSL, of course).
>
> Thanks,
> Merlin
>
>