Welcome! Log In Create A New Profile

Advanced

Multiple server definitions with SSL

Ben Lancaster
July 26, 2011 12:46PM
We recently had a problem where we created a new server configuration (for http with and without ssl on ports 443 and 80 respectively) on a shared web server which also included a number of other nginx servers similarly configured.

Unfortunately, we neglected to include the ssl_certificate and ssl_certificate_key directives for the new server. So, the configurations looked something like this:

# START CONFIG #

# Pre-existing, working server definition (one of several)
server {
listen 80;
listen 443 ssl;

server_name first.example.com;

ssl_certificate /path/to/ssl.crt
ssl_certificate_key /path/to/key.crt

# snip #
}

# New server definition
server {
listen 80
listen 443 ssl;

server_name second.example.com;

# snip #
}

# END CONFIG #

Now, prior to restarting the nginx process, we issued "nginx -t" to test the new configuration - everything passed. Once the nginx service was restarted, however, the old, working site failed to respond to https requests (cURL said "Unknown SSL protocol error in connection to first.example.com:443 "), even though the configuration for that particular server was unchanged.

I've since added a default SSL server to my config, which seems to fix this problem incase ssl_certificate_* lines get missed in future (there was no server with "listen 443 ssl default" prior to that).

We're running Ubuntu 10.04 LTS x86_64 with Nginx 1.0.0 stable from PPA:

$ nginx -V
nginx: nginx version: nginx/1.0.0
nginx: TLS SNI support enabled
nginx: configure arguments: --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --with-debug --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --with-mail --with-mail_ssl_module --add-module=/build/buildd/nginx-1.0.0/debian/modules/nginx-echo --add-module=/build/buildd/nginx-1.0.0/debian/modules/nginx-upstream-fair

Is this expected behaviour? Should nginx -t not have flagged that there was no default ssl_certificate(_key) directives defined? Why was the first server affected?

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Multiple server definitions with SSL

Ben Lancaster July 26, 2011 12:46PM

Re: Multiple server definitions with SSL

Maxim Dounin July 26, 2011 02:14PM

Re: Multiple server definitions with SSL

Igor Sysoev July 28, 2011 02:56AM

Re: Multiple server definitions with SSL

Maxim Dounin July 28, 2011 05:38AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 147
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready