Selection of secure virtual servers
Francis Daly
francis at daoine.org
Wed Nov 18 13:28:04 UTC 2015
On Mon, Nov 16, 2015 at 04:51:29PM +0300, Maxim Dounin wrote:
> On Sun, Nov 15, 2015 at 12:51:56PM +0000, Francis Daly wrote:
> > On Fri, Nov 13, 2015 at 03:37:28PM +0100, Joó Ádám wrote:
Hi there,
> > > I would like to terminate TLS connections arriving at the default
> > > server, only serving requests with the correct host header, relying on
> > > SNI.
> > If you have one ssl server that you care about, and you do not know that
> > everything involved works fully with SNI, the "simple" (but inelegant)
> > approach might be to just have a single server{} block with ssl on for
> > this ip:port, and use
> >
> > if ($host != "example.com") { return 444; }
> >
> > there.
>
> There is no need to do this. With nginx server{} blocks
> are selected twice: by SNI, and then by HTTP Host header. This
> allows to happily use server{} blocks even when not using SNI.
Thanks for the correction.
I guess I should get more practice with secure web sites :-)
My thinking was: if the client did not do SNI, then it would get the
certificate from the default server{}, and would choose not to continue
the connection as that certificate probably would not include the
preferred server name.
But the initial requirement assumed that only SNI clients matter; and
I guess that the default certificate could easily include the "real"
server name anyway, to avoid that edge case.
So I was wrong on that thinking too.
Cheers,
f
--
Francis Daly francis at daoine.org
More information about the nginx
mailing list