Welcome! Log In Create A New Profile

Advanced

Re: Host header and SSL

Previous Message Next Message
Forum List Message List New Topic Print View
Kamil Gorlo
February 17, 2012 02:16AM
On Fri, Feb 17, 2012 at 1:06 AM, Edho Arief <edho@myconan.net> wrote:
> On Fri, Feb 17, 2012 at 6:18 AM, Kamil Gorlo <kgs4242@gmail.com> wrote:
>>
>> server {
>>  listen IP1:80 default_server;
>>  listen IP2:80 default_server;
>>  serrver_name _;
>>  return 444;
>> }
>>
>> But this technique simply does not work for SSL. As far I understand
>> correctly there are two techniques to cope with my problem (to prevent
>> https request with non-matching Host header to be served):
>>
>
> It should work (at least passes `nginx -t` in my test).

You mean soultion no. 1 (the one with if in server block, which you -
maybe accidentally - cut off)?

>>
>> 2. using catch-all but slightly more complicated and weird:
>>
>> server {
>>  listen IP3:443 ssl;
>>  server_name some_host.com;
>>
>>  (no ssl_certificate section - it is in catch-all block)
>>
>>  location / {
>>    ...
>>    proxy_set_header Host $host; // safe because of catch-all below
>>  }
>> }
>>
>> server {
>>  listen IP3:443 ssl default_server;
>>  server_name _;
>>
>>  ssl_certificate...
>>
>>  return 444;
>> }
>>
>
> Nothing weird or complicated in this one. It's the preferred method
> but you need to specify ssl_certificate parameters on each server
> blocks. I'm not sure how it behaves on non-SNI environment though.

By writing 'weird' I meant that ssl configuration is not in one place
(in the server_name with corresponding server_name) but instead in
some weird 'server_name _' block which maybe confusing for some
non-experienced Nginx config writers :P

Performance wisely - is 1 and 3 imperceptible?

> Alternatively you can force passing some_host.com as the Host header
> to your proxy:
>
> proxy_set_header Host some_host.com
>

No, this is not exactly what I want because:
a) it does not work when I have server_name like *.some_host.com (of
course in combination with some wildcard certificate)
b) it tells backend that user came with some_host.com which is not true

Thanks for your help.

Cheers,

--
Kamil

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

Host header and SSL

Kamil Gorlo February 16, 2012 06:20PM

Re: Host header and SSL

Edho Arief February 16, 2012 07:08PM

Re: Host header and SSL

Kamil Gorlo February 17, 2012 02:16AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 279
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready