SSL on/off on same port and IP
Maxim Dounin
mdounin at mdounin.ru
Sat Jul 4 06:47:07 UTC 2015
Hello!
On Tue, Jun 23, 2015 at 04:43:23PM +0200, Ingo Lafrenz wrote:
> Hi,
>
> consider the following very simple nginx config:
> http {
> server {
> listen 127.0.0.1:123;
> server_name abc;
> }
> server {
> listen 127.0.0.1:123 ssl;
> server_name xyz;
> ssl_certificate...;
> }
> }
>
> In words:
> I instruct nginx to listen on the same port and IP, one time without ssl,
> one time with ssl. IMHO this is a broken config, however nginx accepts it.
>
> What would you say? Should nginx reject such a config? Right now you only
> get an error at request time.
The "listen 127.0.0.1:123 ssl;" means that nginx will use SSL on
the 127.0.0.1:123 listen socket. This works much like with any
listen socket options: you may specify them once, and omit in other
server{} blocks.
The only problem with the config in question is that there is no
ssl certificate defined in the first server. There is a ticket
about complaining during configuration testing in such a case:
http://trac.nginx.org/nginx/ticket/178
But adding such a check isn't trivial and unlikely to happen soon.
> It gets even worse, if the 2nd server is configured with the ssl directive
> instead of "listen ssl":
> server {
> listen 127.0.0.1:123;
> server_name xyz;
> ssl on;
> ssl_certificate...;
> }
>
> In that case you don't even see an error in the logs anymore and clients
> can't connect via https anymore.
There will be an error in the logs, but at the "info" level -
and therefore rarely seen. The socket in question won't have SSL
enabled as there is no "ssl on" in the default (first) server, and
therefore nginx will not expect SSL connections and will complain
that "client sent invalid method" for all attempts to establish an
SSL connection.
Anyway, that's why "ssl on" is deprecated - it's very easy to
configure things wrongly when using it.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list