Fallback default server sharing cert information about other domains than for the URL you visit ?

koocr at mailc.net koocr at mailc.net
Fri Aug 9 18:48:58 UTC 2019


Thanks for the help.
I'm really feeling pretty stupid atm since I can't seem to find & understand a how-to document to get this right :-/

So I have this config

	server {
	    listen 80                  http2 default_server;
	    listen [::]:80             http2 ipv6only=on default_server;
	    server_name _;
	    return 301 https://$host;
	}

	server {
		listen 172.17.0.1:443      ssl http2 default_server;
		listen [FE80:...:0001]:443 ssl http2 ipv6only=on default_server;
		server_name _;
		ssl_trusted_certificate    "/etc/ssl/trusted.crt.pem";
		ssl_certificate            "/etc/ssl/dummy.crt.pem";
		ssl_certificate_key        "/etc/ssl/dummy.key.pem";
	    return 444;
	}

	server {
		listen 443                 ssl http2 default_server;
		listen [::]:443            ssl http2 ipv6only=on default_server;
		server_name _;
		ssl_trusted_certificate    "/etc/ssl/trusted.crt.pem";
		ssl_certificate            "/etc/ssl/dummy.crt.pem";
		ssl_certificate_key        "/etc/ssl/dummy.key.pem";
		return 444;
	}

	server {
		listen 172.17.0.1:80       http2;
		listen [FE80:...:0001]:80  http2;
		server_name example.com www.example.com;
		location / {
			return 301 https://example.com$request_uri;
		}
	}

	server {
		listen 172.17.0.1:443      ssl http2;
		listen [FE80:...:0001]:443 ssl http2 ipv6only=on default_server;
		server_name example.com www.example.com;
		ssl_trusted_certificate    "/etc/ssl/trusted.crt.pem";
		ssl_certificate            "/etc/ssl/chain.crt.pem";
		ssl_certificate_key        "/etc/ssl/privkey.pem";
		add_header Strict-Transport-Security "max-age=315360000; includeSubDomains; preload";
		location / {...}
	}

With that config when I try to launch nginx it fails with these errors

	Aug 09 11:29:21 myhost nginx[10095]: nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)

If I comment out the IP-less listener

	#	server {
	#		listen 443                 ssl http2 default_server;
	#		listen [::]:443            ssl http2 ipv6only=on default_server;
	#		server_name _;
	#		ssl_trusted_certificate    "/etc/ssl/trusted.crt.pem";
	#		ssl_certificate            "/etc/ssl/dummy.crt.pem";
	#		ssl_certificate_key        "/etc/ssl/dummy.key.pem";
	#		return 444;
	#	}

and try again, I do get a site fail with that "Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for ..." error again.


More information about the nginx mailing list