Hello!

On Sun, Feb 14, 2016 at 01:46:48PM -0800, Robert Paprocki wrote:

> > On Feb 14, 2016, at 12:58, Maxim Dounin <mdounin@mdounin.ru> wrote:
> >
> > Hello!
> >
> >> On Sun, Feb 14, 2016 at 08:14:20PM +0100, Lucas Rolff wrote:
> >>
> >> I'm having a rather odd behavior - I use nginx as a reverse proxy (basically
> >> as a CDN) - where if the file isn't in cache, I do use proxy_pass to the
> >> origin server, to get the file and then cache it.
> >>
> >> This works perfectly in most cases, but if the origin is running apache and
> >> happen to use the Apache Directive "SSLStrictSNIVHostCheck" where it's set
> >> to On.
> >
> > http://nginx.org/r/proxy_ssl_server_name
>
> Out of curiosity, is there a philosophical/design reason this
> option is not enabled by default?

There was no support for client-side SNI till nginx 1.7.0, and
when introduced it was set off by default to avoid breaking
existing configurations.

Additionally, client-side SNI discloses information about domain
name used to connect to (which is bad from security point of
view), and hardly make sense without peer certificate verification
(http://nginx.org/r/proxy_ssl_verify), which is also off by
default and can't be enabled without a list of trusted
certificates.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx