Selection of secure virtual servers

Francis Daly francis at
Sun Nov 15 12:51:56 UTC 2015

On Fri, Nov 13, 2015 at 03:37:28PM +0100, Joó Ádám wrote:

Hi there,

> I would like to terminate TLS connections arriving at the default
> server, only serving requests with the correct host header, relying on
> SNI.

SSL is fiddly.

The selection of which https server{} to use is not as straightforward
as the selection of which http server{} to use.

If you have one ssl server that you care about, and you do not know that
everything involved works fully with SNI, the "simple" (but inelegant)
approach might be to just have a single server{} block with ssl on for
this ip:port, and use

  if ($host != "") { return 444; }


If you do know that everything works with SNI, you should have most of
your ssl configuration at http{} level, or identical in the relevant
server{} blocks, and only the different certificates configured per
server. (You will probably want a certificate for your scratch/throw-away
default server -- I have not tested.) You will also want to ensure
that ssl_protocols excludes anything that does not allow SNI -- see
"SSL is fiddly".

Good luck with it,

Francis Daly        francis at

More information about the nginx mailing list