SSL behaviour with multiple server blocks for same port

Pankaj Mehta mehta.pankaj at gmail.com
Fri Jan 24 11:22:49 UTC 2014


Thanks Maxim, very helpful.

Pankaj


On 23 January 2014 11:49, Maxim Dounin <mdounin at mdounin.ru> wrote:

> Hello!
>
> On Thu, Jan 23, 2014 at 11:17:42AM +0000, Pankaj Mehta wrote:
>
> > Hi,
> >
> > I am struggling to get any documented reference for my problem in nginx
> > docs. Hope someone can help before I delve into nginx code:
> >
> > I want to have multiple server blocks for the https port 443, they will
> > serve different hostnames. Each block will have it's own ssl
> configuration.
> > For example:
> >
> > server {
> >   listen 443 ssl
> >   server_name blah.xyz.com
> >
> >   ssl protocols TLSv1
> >   ssl_ciphers AES256-SHA:RC4-SHA;
> >   ssl_certificate /test/site1.cer;
> >   ssl_certificate_key /test/site1.key;
> >   ...
> > }
> >
> > server {
> >   listen 443 ssl
> >   server_name blah.xyz.com
> >
> >   ssl protocols TLSv1
> >   ssl_ciphers AES256-SHA:RC4-SHA;
> >   ssl_certificate /test/site2.cer;
> >   ssl_certificate_key /test/site2.key;
> >   ...
> > }
> >
> > These blocks have different ssl certificates. I understand that if I
> enable
> > SNI in nginx and the client supports it, then we have a predictable
> > behaviour where nginx will use the correct ssl parameters from the server
> > block corresponding to that hostname. But I have no idea which ssl config
> > will be picked up when the client does not support SNI. Is it the one
> that
> > comes first?
>
> http://nginx.org/r/listen
>
> Quote:
>
> The default_server parameter, if present, will cause the server to
> become the default server for the specified address:port pair. If
> none of the directives have the default_server parameter then the
> first server with the address:port pair will be the default server
> for this pair.
>
> > Also is the behaviour when SNI is disabled in nginx similar to
> > when SNI is enabled in nginx but client doesn't support it?
>
> Yes.
>
> > Is there a way in nginx to dump the active configs for a port?
>
> No.
>
> --
> Maxim Dounin
> http://nginx.org/
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20140124/3831d67b/attachment.html>


More information about the nginx mailing list