Issue with SNI/SSL and default_server

Jordi Boggiano j.boggiano at seld.be
Tue Aug 21 12:58:37 UTC 2012


Heya,

I have a server with two domains using SSL on one IP via SNI. So far so
good, but the problem is that one of the site is marked as
default_server to catch all (then I do a redirect to the proper domain,
I left out some parts of the config below for conciseness).

The problem is, if you have a ssl server marked as default_server, it
seems to take over everything else, and domainb.com is not reachable via
SSL anymore.

server {
    listen 80 default_server;
    server_name domaina.com <ip>;
}

server {
    listen 443 ssl default_server;
    server_name domaina.com <ip>;
}

server {
    listen 80;
    server_name domainb.com;
}

server {
    listen 443 ssl;
    server_name domainb.com <ip>;
}

The workaround I found is the following: I put the IP in the
server_name, and therefore can remove the default_server flag from the
ssl server (it's not completely equivalent, but close enough for my
purposes). The problem is that it needs the server public IP in, which
isn't ideal to have generic vhost templates in puppet:

server {
    listen 80 default_server;
    server_name domaina.com <ip>;
}

server {
    listen 443 ssl;
    server_name domaina.com <ip>;
}

server {
    listen 80;
    server_name domainb.com;
}

server {
    listen 443 ssl;
    server_name domainb.com <ip>;
}

I am not sure whether this is a bug or an expected feature, which is why
I am writing here.

Cheers

-- 
Jordi Boggiano
@seldaek - http://nelm.io/jordi



More information about the nginx mailing list