Host header and SSL
Edho Arief
edho at myconan.net
Fri Feb 17 00:06:49 UTC 2012
On Fri, Feb 17, 2012 at 6:18 AM, Kamil Gorlo <kgs4242 at gmail.com> wrote:
>
> server {
> listen IP1:80 default_server;
> listen IP2:80 default_server;
> serrver_name _;
> return 444;
> }
>
> But this technique simply does not work for SSL. As far I understand
> correctly there are two techniques to cope with my problem (to prevent
> https request with non-matching Host header to be served):
>
It should work (at least passes `nginx -t` in my test).
>
> 2. using catch-all but slightly more complicated and weird:
>
> server {
> listen IP3:443 ssl;
> server_name some_host.com;
>
> (no ssl_certificate section - it is in catch-all block)
>
> location / {
> ...
> proxy_set_header Host $host; // safe because of catch-all below
> }
> }
>
> server {
> listen IP3:443 ssl default_server;
> server_name _;
>
> ssl_certificate...
>
> return 444;
> }
>
Nothing weird or complicated in this one. It's the preferred method
but you need to specify ssl_certificate parameters on each server
blocks. I'm not sure how it behaves on non-SNI environment though.
Alternatively you can force passing some_host.com as the Host header
to your proxy:
proxy_set_header Host some_host.com
--
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
More information about the nginx
mailing list