Multiple SSL listen statements and SNI

Dave Hayes dave at
Fri Nov 11 17:29:58 UTC 2016

On 11/11/2016 00:02, Igor Sysoev wrote:
> Please read this:

Thanks very much for your reply. I have read this before, but maybe I 
missed something. In reading it again like you asked, I see this paragraph:

"In this configuration, nginx first tests the IP address and port of the 
request against the listen directives of the server blocks. It then 
tests the “Host” header field of the request against the server_name 
entries of the server blocks that matched the IP address and port."

So in my previous configuration, if I send an SSL request to 
with curl properly set up so it does SNI, e.g.

   curl -vk --resolve

I would expect it to first test the IP address and port of the request:

Given that I do not get to the "server 4" block, this appears to imply 
that will not be matched by

    listen 443 ssl;


    listen *:443 ssl;

SNI does not look at the Host: header, so I wasn't considering it useful 
in this analysis. Is this wrong?

Your suggestion (which does work) seems to confirm that

    listen *:443 ssl;

will not bind to all IP addresses.

> This configuration does what you want:
> server {
>   # server 4
>   listen 443 ssl;
>   listen ssl;
>   server_name "";
>   ...
> }

Naturally I've IP aliased the (for testing). Perhaps the 
usage of IP aliases prevents "*" from having the meaning of "attach this 
server block to every IP you find"? Am I confused here?

Thanks in advance for any insight provided.
Dave Hayes - Consultant - Altadena CA, USA - dave at
 >>>> *The opinions expressed above are entirely my own* <<<<

"Luke, you'll find many of the truths we cling to depend
greatly upon our point of view."           - Obi-Wan Kenobi

More information about the nginx mailing list