Host header and SSL

[Kamil Gorlo]

Hi,

in my setup Nginx is a load balancer to many different services, some
of them are using SSL (so Nginx is also SSL terminator in this case).
I have many different IPs and for every IP it happen to be more than
one domain (of course only in non-SSL situation).

So I am using virtual hosts heavily with http and since my backends
rely on Host header from user (it has to be correct) I have catch-all
section for not matching server_names. Something like this

... (many different server sections with different server_names) ...

server {
 listen IP1:80 default_server;
 listen IP2:80 default_server;
 serrver_name _;
 return 444;
}

But this technique simply does not work for SSL. As far I understand
correctly there are two techniques to cope with my problem (to prevent
https request with non-matching Host header to be served):

1. using if

server {
 listen IP3:443 ssl default_server;
 server_name some_host.com;

 ssl_certificate...

 if ($host != "some_host.com") {
   return 444;
 }

 location / {
   ...
   proxy_set_header Host $host; // safe
 }
}

2. using catch-all but slightly more complicated and weird:

server {
  listen IP3:443 ssl;
  server_name some_host.com;

  (no ssl_certificate section - it is in catch-all block)

  location / {
    ...
    proxy_set_header Host $host; // safe because of catch-all below
  }
}

server {
  listen IP3:443 ssl default_server;
  server_name _;

  ssl_certificate...

  return 444;
}

What do you think? Are both solutions equivalent? Which one is
preffered (more efficient, elegant)? Will it work?

Thanks for your help!

--
Kamil