SSL behaviour with multiple server blocks for same port
Maxim Dounin
mdounin at mdounin.ru
Thu Jan 23 11:49:04 UTC 2014
Hello!
On Thu, Jan 23, 2014 at 11:17:42AM +0000, Pankaj Mehta wrote:
> Hi,
>
> I am struggling to get any documented reference for my problem in nginx
> docs. Hope someone can help before I delve into nginx code:
>
> I want to have multiple server blocks for the https port 443, they will
> serve different hostnames. Each block will have it's own ssl configuration.
> For example:
>
> server {
> listen 443 ssl
> server_name blah.xyz.com
>
> ssl protocols TLSv1
> ssl_ciphers AES256-SHA:RC4-SHA;
> ssl_certificate /test/site1.cer;
> ssl_certificate_key /test/site1.key;
> ...
> }
>
> server {
> listen 443 ssl
> server_name blah.xyz.com
>
> ssl protocols TLSv1
> ssl_ciphers AES256-SHA:RC4-SHA;
> ssl_certificate /test/site2.cer;
> ssl_certificate_key /test/site2.key;
> ...
> }
>
> These blocks have different ssl certificates. I understand that if I enable
> SNI in nginx and the client supports it, then we have a predictable
> behaviour where nginx will use the correct ssl parameters from the server
> block corresponding to that hostname. But I have no idea which ssl config
> will be picked up when the client does not support SNI. Is it the one that
> comes first?
http://nginx.org/r/listen
Quote:
The default_server parameter, if present, will cause the server to
become the default server for the specified address:port pair. If
none of the directives have the default_server parameter then the
first server with the address:port pair will be the default server
for this pair.
> Also is the behaviour when SNI is disabled in nginx similar to
> when SNI is enabled in nginx but client doesn't support it?
Yes.
> Is there a way in nginx to dump the active configs for a port?
No.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list