Host header and SSL

Edho Arief edho at myconan.net
Fri Feb 17 00:06:49 UTC 2012


On Fri, Feb 17, 2012 at 6:18 AM, Kamil Gorlo <kgs4242 at gmail.com> wrote:
>
> server {
>  listen IP1:80 default_server;
>  listen IP2:80 default_server;
>  serrver_name _;
>  return 444;
> }
>
> But this technique simply does not work for SSL. As far I understand
> correctly there are two techniques to cope with my problem (to prevent
> https request with non-matching Host header to be served):
>

It should work (at least passes `nginx -t` in my test).

>
> 2. using catch-all but slightly more complicated and weird:
>
> server {
>  listen IP3:443 ssl;
>  server_name some_host.com;
>
>  (no ssl_certificate section - it is in catch-all block)
>
>  location / {
>    ...
>    proxy_set_header Host $host; // safe because of catch-all below
>  }
> }
>
> server {
>  listen IP3:443 ssl default_server;
>  server_name _;
>
>  ssl_certificate...
>
>  return 444;
> }
>

Nothing weird or complicated in this one. It's the preferred method
but you need to specify ssl_certificate parameters on each server
blocks. I'm not sure how it behaves on non-SNI environment though.

Alternatively you can force passing some_host.com as the Host header
to your proxy:

proxy_set_header Host some_host.com


-- 
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org



More information about the nginx mailing list