Issue with SNI/SSL and default_server

[Igor Sysoev]

On Aug 21, 2012, at 16:58 , Jordi Boggiano wrote:

> Heya,
> 
> I have a server with two domains using SSL on one IP via SNI. So far so
> good, but the problem is that one of the site is marked as
> default_server to catch all (then I do a redirect to the proper domain,
> I left out some parts of the config below for conciseness).
> 
> The problem is, if you have a ssl server marked as default_server, it
> seems to take over everything else, and domainb.com is not reachable via
> SSL anymore.
> 
> server {
>    listen 80 default_server;
>    server_name domaina.com <ip>;
> }
> 
> server {
>    listen 443 ssl default_server;
>    server_name domaina.com <ip>;
> }
> 
> server {
>    listen 80;
>    server_name domainb.com;
> }
> 
> server {
>    listen 443 ssl;
>    server_name domainb.com <ip>;
> }
> 
> The workaround I found is the following: I put the IP in the
> server_name, and therefore can remove the default_server flag from the
> ssl server (it's not completely equivalent, but close enough for my
> purposes). The problem is that it needs the server public IP in, which
> isn't ideal to have generic vhost templates in puppet:
> 
> server {
>    listen 80 default_server;
>    server_name domaina.com <ip>;
> }
> 
> server {
>    listen 443 ssl;
>    server_name domaina.com <ip>;
> }
> 
> server {
>    listen 80;
>    server_name domainb.com;
> }
> 
> server {
>    listen 443 ssl;
>    server_name domainb.com <ip>;
> }
> 
> I am not sure whether this is a bug or an expected feature, which is why
> I am writing here.

These configuration should be equal from nginx point of view,
since the first server becomes default_server anyway. Probably
the real configuration does not correspond to them.


--
Igor Sysoev