Welcome! Log In Create A New Profile

Re: Multiple SSL listen statements and SNI

Forum List Message List New Topic Print View

Igor Sysoev

November 11, 2016 01:50PM

Admin
Registered: 15 years ago
Posts: 4,579

On 11 Nov 2016, at 20:29, Dave Hayes <dave@jetcafe.org> wrote:

> On 11/11/2016 00:02, Igor Sysoev wrote:
>> Please read this:
>> http://nginx.org/en/docs/http/request_processing.html#mixed_name_ip_based_servers
>
> Thanks very much for your reply. I have read this before, but maybe I missed something. In reading it again like you asked, I see this paragraph:
>
> "In this configuration, nginx first tests the IP address and port of the request against the listen directives of the server blocks. It then tests the “Host” header field of the request against the server_name entries of the server blocks that matched the IP address and port."
>
> So in my previous configuration, if I send an SSL request to 127.0.0.81 with curl properly set up so it does SNI, e.g.
>
> curl -vk --resolve thing.com:443:127.0.0.81 https://thing.com/
>
> I would expect it to first test the IP address and port of the request:
>
> 127.0.0.81:443
>
> Given that I do not get to the "server 4" block, this appears to imply that 127.0.0.81:443 will not be matched by
>
> listen 443 ssl;
>
> or
>
> listen *:443 ssl;

Yes, *:443 matches all addresses except explicitly specified in listen directives with the same port 443.
Consider it as fallback. On FreeBSD you can use “bind” parameter:

listen *:443;
listen 127.0.0.81:443 bind;

And there will be two separate sockets: *:443 and 127.0.0.81:443.
You can not use “bind” on Linux however if one of listen addresses is 0..0.0.0 (wildcard, *).

So this configuration without “bind”:

listen *:443;
listen 127.0.0.81:443;

emulates this two separate sockets behaviour in one 0.0.0.0:443 socket.

> SNI does not look at the Host: header, so I wasn't considering it useful in this analysis. Is this wrong?

SNI is used to find server with appropriate server_name.

--
Igor Sysoev
http://nginx.com

> Your suggestion (which does work) seems to confirm that
>
> listen *:443 ssl;
>
> will not bind to all IP addresses.
>
>> This configuration does what you want:
>>
>> server {
>> # server 4
>> listen 443 ssl;
>> listen 127.0.0.81:443 ssl;
>> server_name "thing.com";
>> ...
>> }
>
> Naturally I've IP aliased the 127.0.0.81 (for testing). Perhaps the usage of IP aliases prevents "*" from having the meaning of "attach this server block to every IP you find"? Am I confused here?
>
> Thanks in advance for any insight provided.
> --
> Dave Hayes - Consultant - Altadena CA, USA - dave@jetcafe.org
> >>>> *The opinions expressed above are entirely my own* <<<<
>
> "Luke, you'll find many of the truths we cling to depend
> greatly upon our point of view." - Obi-Wan Kenobi
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Multiple SSL listen statements and SNI	Dave Hayes	November 10, 2016 09:32PM
Re: Multiple SSL listen statements and SNI	Igor Sysoev	November 11, 2016 03:04AM
Re: Multiple SSL listen statements and SNI	Dave Hayes	November 11, 2016 12:46PM
Re: Multiple SSL listen statements and SNI	Igor Sysoev	November 11, 2016 01:50PM
Re: Multiple SSL listen statements and SNI	Dave Hayes	November 11, 2016 02:14PM
Re: Multiple SSL listen statements and SNI	Igor Sysoev	November 11, 2016 02:30PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 179

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018