Hi,

in my setup Nginx is a load balancer to many different services, some
of them are using SSL (so Nginx is also SSL terminator in this case).
I have many different IPs and for every IP it happen to be more than
one domain (of course only in non-SSL situation).

So I am using virtual hosts heavily with http and since my backends
rely on Host header from user (it has to be correct) I have catch-all
section for not matching server_names. Something like this

.... (many different server sections with different server_names) ...

server {
listen IP1:80 default_server;
listen IP2:80 default_server;
serrver_name _;
return 444;
}

But this technique simply does not work for SSL. As far I understand
correctly there are two techniques to cope with my problem (to prevent
https request with non-matching Host header to be served):

1. using if

server {
listen IP3:443 ssl default_server;
server_name some_host.com;

ssl_certificate...

if ($host != "some_host.com") {
return 444;
}

location / {
...
proxy_set_header Host $host; // safe
}
}

2. using catch-all but slightly more complicated and weird:

server {
listen IP3:443 ssl;
server_name some_host.com;

(no ssl_certificate section - it is in catch-all block)

location / {
...
proxy_set_header Host $host; // safe because of catch-all below
}
}

server {
listen IP3:443 ssl default_server;
server_name _;

ssl_certificate...

return 444;
}

What do you think? Are both solutions equivalent? Which one is
preffered (more efficient, elegant)? Will it work?

Thanks for your help!

--
Kamil

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx