SSL server_name support, single server block plain/SSL, et al in 0.8.x ?

Igor Sysoev is at rambler-co.ru
Mon Jul 13 12:07:21 MSD 2009 

On Mon, Jul 13, 2009 at 12:17:02AM -0700, merlin corey wrote:

> Hello,
> 
> I had a long chat with a user in the IRC channel about SSL in nginx.
> Initially, it started out talking about hosting multiple domains with
> SSL on the same address.  They pointed me to
> http://tools.ietf.org/html/rfc4366#section-3.1 which seems fairly
> straightforward and I am curious if there is interest in this or if
> Igor plans to implement it at some point in future anyway.

nginx supports SNI since 0.5.23. You just need OpenSSL built with
SNI support. The main issue, however, are browsers: MSIE 6 and Windows XP
do not support SNI and MSIE 6 is still in use:
http://weblogs.mozillazine.org/asa/archives/2009/07/internet_explorer_6.html

> Also, through talking with him, he showed me his idea for how the SSL
> support should work.  It went more or less like this:
> 
> ssl_certificate      /etc/ssl/custom/supercatchall.crt;
> ssl_certificate_key  /etc/ssl/custom/supercatchall.key;
> server {
>   listen 80;
>   listen 443;	
>   if(port = 443) {
>     ssl on;
>   }
>   ... normal server config ...
> }
> ... repeated for several servers apparently on same IP ...
> 
> I tried to talk him out of using if and using a separate server block
> for 443 and 80 ports for each server, and just including common
> configuration.  Apparently, this does not currently work, but it seems
> it should be more or less usable, I think he was having problems with
> using default ssl in the listen line and NginX would not bind multiple
> times.  At any rate, he also complained about the "roundabout
> redundancy" of the config.  That got me to thinking, would something
> like the following be desirable, and how difficult to implement would
> it be?
> 
> server {
>   listen 80;
>   listen 443;
>   ssl on 443;
>   ... normal server config ...
> }
> 
> My gut instinct tells me this would be a lot more work than simply
> allowing multiple SSL hosts per IP address, but it does seem to have a
> nice ring to it, this late in the day.
> 
> So to summarize, I am curious if 0.8.x is planned to support multiple
> SSL hosts per IP, if that feature is even desired by anyone (or maybe
> other ways to do it, in case I see this problem again!), and finally
> anyone and everyone's thoughts on the above syntax to unify config for
> SSL and non SSL (you could still use separate blocks if the
> configuration is not exactly the same for plain and SSL, of course).

Since 0.7.14 you can use:

    server {
       listen 80;
       listen 443 default ssl;
       ...


-- 
Igor Sysoev
http://sysoev.ru/en/

More information about the nginx mailing list