Welcome! Log In Create A New Profile

Advanced

SNI - Where is the mistake?

Posted by ingin 
SNI - Where is the mistake?
April 16, 2015 06:55AM
Dear all,

after years of having a working nginx server which did not have any troubles making use of SNI, I am suddenly facing a certificate issue.
To rule out misconfig, nginx -V tells me...

--
nginx version: nginx/1.1.19
TLS SNI support enabled
--

Second, all server blocks are correctly connected, nginx -t does not complain, and OpenSSL is working. But the following config yields a serving of the wrong certificate (sub.domainy.com) when calling b.domain-x.de :

===BLOCK 1, file in …/sites-available/sub.domainy.com ===

--
upstream sub_domainy {
server 127.0.0.1:1234 fail_timeout=0;
}

server {
listen [::]:80;
server_name sub.domainy.com;
rewrite ^ https://$server_name$request_uri? ;
access_log /var/log/nginx/sub.domainy.com.access.log;
error_log /var/log/nginx/sub.domainy.com.error.log;
}

server {
listen [::]:443 ssl default_server;
server_name sub.domainy.com;
server_tokens off;
ssl_certificate /etc/nginx/ssl/wildcard.domainy.com.crt;
ssl_certificate_key /etc/nginx/ssl/wildcard.domainy.com.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-AES128-GCM-SHA256:HIGH:!aNULL:!eNull:!MD5:!RC4:!EXPORT:!DES:!PSK;
access_log /var/log/nginx/sub.domainy.com.access.log;
error_log /var/log/nginx/sub.domainy.com.error.log;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_pass http://sub_domainy;
}
}
--

===BLOCK 2, file in …/sites-available/b.domain-x.de ===

--
upstream b_domain_x {
server 127.0.0.1:2468 fail_timeout=0;
}

server {
listen [::]:80;
server_name b.domain-x.de;
#add_header Strict-Transport-Security max-age=31536000;
#add_header X-Frame-Options DENY;
access_log /var/log/nginx/b.domain-x.de.access.log;
error_log /var/log/nginx/b.domain-x.de.error.log;
rewrite ^/(.*) https://b.domain-x.de ;
}

server {
listen [::]:443 ssl;
server_name b.domain-x.de;
ssl_certificate /etc/nginx/ssl/wildcard.domain-x.de.crt;
ssl_certificate_key /etc/nginx/ssl/wildcard.domain-x.de.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+ECDSA+AESCGM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:-3DES:DES-CBC3-SHA:!MD5:!PSK:!SRP:!DSS:!SEED:!EXPORT:!CAMELLIA:!DES;
server_tokens off;
add_header Strict-Transport-Security max-age=31536000;
add_header X-Frame-Options DENY;
access_log /var/log/nginx/b.domain-x.de.access.log;
error_log /var/log/nginx/b.domain-x.de.error.log;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_pass http://b_domain_x;
}
}
--

Does anybody see a mistake? I would really appreciate your help, I find it kind of puzzling. Thanks a lot, have a nice day...
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 202
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready