Selection of secure virtual servers

Francis Daly francis at
Wed Nov 18 13:28:04 UTC 2015

On Mon, Nov 16, 2015 at 04:51:29PM +0300, Maxim Dounin wrote:
> On Sun, Nov 15, 2015 at 12:51:56PM +0000, Francis Daly wrote:
> > On Fri, Nov 13, 2015 at 03:37:28PM +0100, Joó Ádám wrote:

Hi there,

> > > I would like to terminate TLS connections arriving at the default
> > > server, only serving requests with the correct host header, relying on
> > > SNI.

> > If you have one ssl server that you care about, and you do not know that
> > everything involved works fully with SNI, the "simple" (but inelegant)
> > approach might be to just have a single server{} block with ssl on for
> > this ip:port, and use
> > 
> >   if ($host != "") { return 444; }
> > 
> > there.
> There is no need to do this.  With nginx server{} blocks 
> are selected twice: by SNI, and then by HTTP Host header.  This 
> allows to happily use server{} blocks even when not using SNI.

Thanks for the correction.

I guess I should get more practice with secure web sites :-)

My thinking was: if the client did not do SNI, then it would get the
certificate from the default server{}, and would choose not to continue
the connection as that certificate probably would not include the
preferred server name.

But the initial requirement assumed that only SNI clients matter; and
I guess that the default certificate could easily include the "real"
server name anyway, to avoid that edge case.

So I was wrong on that thinking too.


Francis Daly        francis at

More information about the nginx mailing list