Fallback default server sharing cert information about other domains than for the URL you visit ?
koocr at mailc.net
koocr at mailc.net
Fri Aug 9 18:48:58 UTC 2019
Thanks for the help.
I'm really feeling pretty stupid atm since I can't seem to find & understand a how-to document to get this right :-/
So I have this config
server {
listen 80 http2 default_server;
listen [::]:80 http2 ipv6only=on default_server;
server_name _;
return 301 https://$host;
}
server {
listen 172.17.0.1:443 ssl http2 default_server;
listen [FE80:...:0001]:443 ssl http2 ipv6only=on default_server;
server_name _;
ssl_trusted_certificate "/etc/ssl/trusted.crt.pem";
ssl_certificate "/etc/ssl/dummy.crt.pem";
ssl_certificate_key "/etc/ssl/dummy.key.pem";
return 444;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 ipv6only=on default_server;
server_name _;
ssl_trusted_certificate "/etc/ssl/trusted.crt.pem";
ssl_certificate "/etc/ssl/dummy.crt.pem";
ssl_certificate_key "/etc/ssl/dummy.key.pem";
return 444;
}
server {
listen 172.17.0.1:80 http2;
listen [FE80:...:0001]:80 http2;
server_name example.com www.example.com;
location / {
return 301 https://example.com$request_uri;
}
}
server {
listen 172.17.0.1:443 ssl http2;
listen [FE80:...:0001]:443 ssl http2 ipv6only=on default_server;
server_name example.com www.example.com;
ssl_trusted_certificate "/etc/ssl/trusted.crt.pem";
ssl_certificate "/etc/ssl/chain.crt.pem";
ssl_certificate_key "/etc/ssl/privkey.pem";
add_header Strict-Transport-Security "max-age=315360000; includeSubDomains; preload";
location / {...}
}
With that config when I try to launch nginx it fails with these errors
Aug 09 11:29:21 myhost nginx[10095]: nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
If I comment out the IP-less listener
# server {
# listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2 ipv6only=on default_server;
# server_name _;
# ssl_trusted_certificate "/etc/ssl/trusted.crt.pem";
# ssl_certificate "/etc/ssl/dummy.crt.pem";
# ssl_certificate_key "/etc/ssl/dummy.key.pem";
# return 444;
# }
and try again, I do get a site fail with that "Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for ..." error again.
More information about the nginx
mailing list