Welcome! Log In Create A New Profile

Advanced

Re: Multiple SSL listen statements and SNI

Dave Hayes
November 11, 2016 12:46PM
On 11/11/2016 00:02, Igor Sysoev wrote:
> Please read this:
> http://nginx.org/en/docs/http/request_processing.html#mixed_name_ip_based_servers

Thanks very much for your reply. I have read this before, but maybe I
missed something. In reading it again like you asked, I see this paragraph:

"In this configuration, nginx first tests the IP address and port of the
request against the listen directives of the server blocks. It then
tests the “Host” header field of the request against the server_name
entries of the server blocks that matched the IP address and port."

So in my previous configuration, if I send an SSL request to 127.0.0.81
with curl properly set up so it does SNI, e.g.

curl -vk --resolve thing.com:443:127.0.0.81 https://thing.com/

I would expect it to first test the IP address and port of the request:

127.0.0.81:443

Given that I do not get to the "server 4" block, this appears to imply
that 127.0.0.81:443 will not be matched by

listen 443 ssl;

or

listen *:443 ssl;

SNI does not look at the Host: header, so I wasn't considering it useful
in this analysis. Is this wrong?

Your suggestion (which does work) seems to confirm that

listen *:443 ssl;

will not bind to all IP addresses.

> This configuration does what you want:
>
> server {
> # server 4
> listen 443 ssl;
> listen 127.0.0.81:443 ssl;
> server_name "thing.com";
> ...
> }

Naturally I've IP aliased the 127.0.0.81 (for testing). Perhaps the
usage of IP aliases prevents "*" from having the meaning of "attach this
server block to every IP you find"? Am I confused here?

Thanks in advance for any insight provided.
--
Dave Hayes - Consultant - Altadena CA, USA - dave@jetcafe.org
>>>> *The opinions expressed above are entirely my own* <<<<

"Luke, you'll find many of the truths we cling to depend
greatly upon our point of view." - Obi-Wan Kenobi

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Multiple SSL listen statements and SNI

Dave Hayes November 10, 2016 09:32PM

Re: Multiple SSL listen statements and SNI

Igor Sysoev November 11, 2016 03:04AM

Re: Multiple SSL listen statements and SNI

Dave Hayes November 11, 2016 12:46PM

Re: Multiple SSL listen statements and SNI

Igor Sysoev November 11, 2016 01:50PM

Re: Multiple SSL listen statements and SNI

Dave Hayes November 11, 2016 02:14PM

Re: Multiple SSL listen statements and SNI

Igor Sysoev November 11, 2016 02:30PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 309
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready