Unexpected SSL Behavior with Virtual Hosts

Maxim Dounin mdounin at mdounin.ru
Fri May 16 13:42:02 UTC 2014 

Hello!

On Fri, May 16, 2014 at 09:37:12AM -0400, SAH62 wrote:

> Igor Sysoev Wrote:
> -------------------------------------------------------
> > On 15 May 2014, at 04:01, SAH62 <nginx-forum at nginx.us> wrote:
> > 
> > > Sorry for posting this twice. I posted it in the "How to" forum last
> > week,
> > > there haven't been any replies, so I thought I'd try again.
> > > 
> > > I'm using nginx for multiple virtual hosts on the same physical
> > server. The
> > > issue I'm having is that a browser request for
> > https://www.domain1.org/ is
> > > being answered with a certificate for a different domain. Here's
> > what the
> > > slices from my config files look like:
> > > 
> > > domain1.conf: (note that there's no listen directive for port 443)
> > > server {
> > > listen 80;
> > > server_name domain1.org www.domain1.org domain1.com www.domain1.com
> > > domain1.net www.domain1.net domain1.us www.domain1.us domain1.info
> > > www.domain1.info;
> > > root /home/domain1/public_html;
> > > 
> > > # more stuff
> > > }
> > > 
> > > domain2.conf:
> > > server {
> > > listen 80;
> > > 
> > > server_name domain2 www.domain2;
> > > root /home/domain2/public_html;
> > > 
> > > # more stuff
> > > }
> > > 
> > > server { ## SSL config for domain2
> > > listen 443 ssl;
> > > 
> > > ssl_certificate /etc/ssl/certs/domain2-chained.crt;
> > > ssl_certificate_key /etc/ssl/private/domain2.key;
> > > ssl_session_cache shared:SSL:10m;
> > > ssl_session_timeout 10m;
> > > ssl_protocols SSLv3 TLSv1;
> > > ssl_ciphers
> > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
> > > ssl_prefer_server_ciphers on;
> > > 
> > > server_name domain2 www.domain2;
> > > root /home/domain2/public_html;
> > > 
> > > # more stuff
> > > }
> > > 
> > > server {
> > > listen 80;
> > > 
> > > server_name domain3 www.domain3;
> > > root /var/www;
> > > 
> > > access_log /var/log/nginx/access-domain3.log;
> > > error_log /var/log/nginx/error-domain3.log;
> > > 
> > > return 301 https://$host$request_uri;
> > > }
> > > 
> > > server { ## SSL config for domain3
> > > listen 443 ssl;
> > > 
> > > ssl_certificate /etc/ssl/certs/domain3-chained.crt;
> > > ssl_certificate_key /etc/ssl/private/server.key;
> > > ssl_session_cache shared:SSL:10m;
> > > ssl_session_timeout 10m;
> > > ssl_protocols SSLv3 TLSv1;
> > > ssl_ciphers
> > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
> > > ssl_prefer_server_ciphers on;
> > > 
> > > root /var/www;
> > > index index.php index.html index.htm;
> > > 
> > > access_log /var/log/nginx/access-domain3-ssl.log;
> > > error_log /var/log/nginx/error-domain3-ssl.log;
> > > rewrite_log on;
> > > 
> > > server_name www.domain3 domain3;
> > > 
> > > # more stuff
> > > }
> > > 
> > > A browser request for https://www.domain1.org/ returns the
> > certificate for
> > > domain 2 and the content found in the root for domain2. Why is that
> > and how
> > > can I get the server to redirect to http://www.domain1.org/ instead?
> > Thank
> > > you…
> > 
> > http://nginx.org/en/docs/http/configuring_https_servers.html#name_base
> > d_https_servers
> 
> OK, that explains why nginx returns the default certificate. It's listening
> on 443, it gets a request, and it doesn't know which domain the HTTP request
> is for so it responds with the default certificate. Why is it sending back
> the content for domain2, though?

Because it's the default server for the listening socket on port 
443.  See here for details:

http://nginx.org/en/docs/http/request_processing.html

-- 
Maxim Dounin
http://nginx.org/

More information about the nginx mailing list