On Wed, Jul 14, 2010 at 01:17:57PM -0300, Tiago Freire wrote:
> I was hoping that there would be a configuration option on nginx to either:
> 1) give a 403 error - or whatever error is best fit - when it detects
> non-SNI SSL handshake; or
> 2) redirect non-SNI SSL handshake traffic to a different virtual server.
>
> Is this list the best place to suggest nginx features?
I do not understand the reason why do you want to detect non-SNI connections.
If you want to avoid browser message about inappropriate certificate, then
this is not allowed by SSL protocol: before nginx may show 403 error or
send redirect to a client, the client must to establish SSL connection.
And certificate is indispensable thing during this process.
If you want to show 403 error or send redirect AFTER browser has shown
a message about inappropriate certificate, then you may try this configuration:
server {
listen 443 default;
server_name _;
ssl on;
ssl_certificate dummy.name.cert;
return 403;
}
server {
listen 443;
server_name www.one.site;
ssl on;
ssl_certificate one.site.cert;
...
}
server {
listen 443;
server_name www.two.site;
ssl on;
ssl_certificate two.site.cert;
...
}
server {
listen 443;
server_name www.three.site;
ssl on;
ssl_certificate three.site.cert;
...
}
Non-SNI browsers will always get dummy.name.cert, show the message,
and get 403 error.
SNI-enabled browsers will get appropriate certificate and will go
to appropriate site.
> On Wed, Jul 14, 2010 at 4:30 AM, Igor Sysoev <igor@sysoev.ru> wrote:
>
> > On Tue, Jul 13, 2010 at 04:58:16PM -0300, Tiago Freire wrote:
> >
> > > Hi,
> > >
> > > I have heard about nginx before, and I am now considering to use it for
> > > several reasons, perfomance is one of them.
> > >
> > > I have to put several servers with EV certificates behind a single IP
> > > though, and I noticed nginx supports SNI.
> > >
> > > I know that not all browsers support SNI, but we are developing web
> > > applications where we can give ourselves the luxury of being a bit picky
> > > about browser support.
> > >
> > > What was not clear in the documentation was: does enabling SNI support
> > > forces all connections to be SNI, or old browsers will still 'work'?
> > > I understood that old browsers would only be able to go to the default
> > > server.
> > >
> > > If running with SNI still accepts old browsers, is there a configuration
> > > option to force SNI-only connections?
> > >
> > > Otherwise, is there any way to segregate SNI and non-SNI connections and
> > > send them to different servers?
> >
> > Regardless of server SNI support, old browsers get always certificate
> > of default server and they complain if a server name does not match
> > a certificate's server name. Theoretically after this you may redirect
> > them to an other server, but it's too late from user point of view.
> >
> >
> > --
> > Igor Sysoev
> > http://sysoev.ru/en/
> >
> > _______________________________________________
> > nginx mailing list
> > nginx@nginx.org
> > http://nginx.org/mailman/listinfo/nginx
> >
>
>
>
> --
> -----
> Tiago Mikhael Pastorello Freire a.k.a. Brazilian Joe
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://nginx.org/mailman/listinfo/nginx
--
Igor Sysoev
http://sysoev.ru/en/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
