Issue with VirtualHost definition order and SNI SSL

Igor Sysoev is at rambler-co.ru
Fri Oct 9 23:12:20 MSD 2009


On Fri, Oct 09, 2009 at 11:22:29AM -0700, Linmiao Xu wrote:

> When running SSL on more than one virtual host (one IP), I get a weird issue
> when virtual hosts are defined in different orders. One virtual host is a
> TLD (example.com), and one is an alias I set in /etc/hosts (alias). Both use
> their own certificates and work fine when I define them in this order:
> 
> include /etc/nginx/vhosts/ssl_example.com.conf;
> include /etc/nginx/vhosts/ssl_alias.conf;
> 
> But when I reverse the order, both hosts try to use (alias)'s certificate,
> so I get an ssl warning when trying to connect to (example.com).
> 
> In both cases, I use "listen 443" and server_name is set as (example.com)
> and (alias). I don't listen on 443 except in virtual hosts, all with
> server_name defined. When I use "listen 443 default ssl" instead of "listen
> 443" for (example.com), this problem goes away. It looks like nginx takes
> the first virtual host that listens on 443 if I try to connect to the server
> on a host that isn't listening on 443.

Yes, nginx uses the first server for a given listen pair if no explicit
default server is defined for the listen pair.

> But I still don't understand.. both of the above are valid hosts, so why
> does the order in which I include the virtual hosts cause different results?

Are you sure that nginx was built with SNI support ?
What browsers and nginx versions do you use ?


-- 
Igor Sysoev
http://sysoev.ru/en/





More information about the nginx mailing list