How to force SNI only connections, or have a fallback non-SNI server?

Igor Sysoev igor at sysoev.ru
Wed Jul 14 20:49:16 MSD 2010


On Wed, Jul 14, 2010 at 01:17:57PM -0300, Tiago Freire wrote:

> I was hoping that there would be a configuration option on nginx to either:
> 1) give a 403 error - or whatever error is best fit - when it detects
> non-SNI SSL handshake; or
> 2) redirect non-SNI SSL handshake traffic to a different virtual server.
> 
> Is this list the best place to suggest nginx features?

I do not understand the reason why do you want to detect non-SNI connections.

If you want to avoid browser message about inappropriate certificate, then
this is not allowed by SSL protocol: before nginx may show 403 error or
send redirect to a client, the client must to establish SSL connection.
And certificate is indispensable thing during this process.

If you want to show 403 error or send redirect AFTER browser has shown
a message about inappropriate certificate, then you may try this configuration:

     server {
         listen           443 default;
         server_name      _;
         ssl              on;
         ssl_certificate  dummy.name.cert;
         return           403;
     }

     server {
         listen           443;
         server_name      www.one.site;
         ssl              on;
         ssl_certificate  one.site.cert;
         ...
     }

     server {
         listen           443;
         server_name      www.two.site;
         ssl              on;
         ssl_certificate  two.site.cert;
         ...
     }

     server {
         listen           443;
         server_name      www.three.site;
         ssl              on;
         ssl_certificate  three.site.cert;
         ...
     }

Non-SNI browsers will always get dummy.name.cert, show the message,
and get 403 error.
SNI-enabled browsers will get appropriate certificate and will go
to appropriate site.

> On Wed, Jul 14, 2010 at 4:30 AM, Igor Sysoev <igor at sysoev.ru> wrote:
> 
> > On Tue, Jul 13, 2010 at 04:58:16PM -0300, Tiago Freire wrote:
> >
> > > Hi,
> > >
> > > I have heard about nginx before, and I am now considering to use it for
> > > several reasons, perfomance is one of them.
> > >
> > > I have to put several servers with EV certificates behind a single IP
> > > though, and I noticed nginx supports SNI.
> > >
> > > I know that not all browsers support SNI, but we are developing web
> > > applications where we can give ourselves the luxury of being a bit picky
> > > about browser support.
> > >
> > > What was not clear in the documentation was: does enabling SNI support
> > > forces all connections to be SNI, or old browsers will still 'work'?
> > > I understood that old browsers would only be able to go to the default
> > > server.
> > >
> > > If running with SNI still accepts old browsers, is there a configuration
> > > option to force SNI-only connections?
> > >
> > > Otherwise, is there any way to segregate SNI and non-SNI connections and
> > > send them to different servers?
> >
> > Regardless of server SNI support, old browsers get always certificate
> > of default server and they complain if a server name does not match
> > a certificate's server name. Theoretically after this you may redirect
> > them to an other server, but it's too late from user point of view.
> >
> >
> > --
> > Igor Sysoev
> > http://sysoev.ru/en/
> >
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > http://nginx.org/mailman/listinfo/nginx
> >
> 
> 
> 
> -- 
> -----
> Tiago Mikhael Pastorello Freire a.k.a. Brazilian Joe

> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://nginx.org/mailman/listinfo/nginx


-- 
Igor Sysoev
http://sysoev.ru/en/



More information about the nginx mailing list