SSL behaviour with multiple server blocks for same port

Maxim Dounin mdounin at mdounin.ru
Thu Jan 23 11:49:04 UTC 2014


Hello!

On Thu, Jan 23, 2014 at 11:17:42AM +0000, Pankaj Mehta wrote:

> Hi,
> 
> I am struggling to get any documented reference for my problem in nginx
> docs. Hope someone can help before I delve into nginx code:
> 
> I want to have multiple server blocks for the https port 443, they will
> serve different hostnames. Each block will have it's own ssl configuration.
> For example:
> 
> server {
>   listen 443 ssl
>   server_name blah.xyz.com
> 
>   ssl protocols TLSv1
>   ssl_ciphers AES256-SHA:RC4-SHA;
>   ssl_certificate /test/site1.cer;
>   ssl_certificate_key /test/site1.key;
>   ...
> }
> 
> server {
>   listen 443 ssl
>   server_name blah.xyz.com
> 
>   ssl protocols TLSv1
>   ssl_ciphers AES256-SHA:RC4-SHA;
>   ssl_certificate /test/site2.cer;
>   ssl_certificate_key /test/site2.key;
>   ...
> }
> 
> These blocks have different ssl certificates. I understand that if I enable
> SNI in nginx and the client supports it, then we have a predictable
> behaviour where nginx will use the correct ssl parameters from the server
> block corresponding to that hostname. But I have no idea which ssl config
> will be picked up when the client does not support SNI. Is it the one that
> comes first?

http://nginx.org/r/listen

Quote:

The default_server parameter, if present, will cause the server to 
become the default server for the specified address:port pair. If 
none of the directives have the default_server parameter then the 
first server with the address:port pair will be the default server 
for this pair.

> Also is the behaviour when SNI is disabled in nginx similar to
> when SNI is enabled in nginx but client doesn't support it?

Yes.

> Is there a way in nginx to dump the active configs for a port?

No.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx mailing list