Welcome! Log In Create A New Profile

Re: AW: SNI and certs.

Forum List Message List New Topic Print View

Richard Stanway

November 29, 2016 02:32PM

There's no "nice" way to handle this in nginx as far as I'm aware. I think
the best setup is a default vhost with a generic (server hostname?)
certificate, and for any bots or clients that ignore the common name
mismatch you can return the 421 Misdirected Request code.

https://httpstatuses.com/421

On Tue, Nov 29, 2016 at 9:28 AM, Lukas Tribus <luky-37@hotmail.com> wrote:

> > > Any real life experience and evidence backing this?
> > yes
>
> Care to elaborate?
>
>
>
> > Not sure why you're doubting me here Lukas. Yes, this is a problem. No
> > I'm not making it up.
>
> We know that crawlers like Googlebot try HTTPS as well, even if there is no
> https link towards the website. That is well known information and publicly
> documented.
>
> What I don't see is why and how that would be a problem, even when HTTPS
> is not properly setup for that particular domain.
>
> Does it cause warnings in the webmaster tools? Who cares?
> Does it affect your ranking? I doubt it.
> Does it index pages or error pages from the default website and assign to
> your website? I doubt that even more.
>
>
>
> > As such, an incorrect or missing cert will fail, and a missing
> > https server block will be handled by the default one ( or the one
> > alphabetically first if not set ).
>
> So serving a 403 or returning 444 from the default block should be fine.
>
>
>
> > it didn't occur to me that search engines would be attempting
> > to force https.
>
> Just because they attempt to use HTTPS doesn't mean the fail to handle
> the case where HTTPS is not properly setup for this particular website.
>
>
>
> The way to properly deal with this would be to abort the TLS handshake.
> Haproxy can do this with the strict-sni directive, but nginx does not
> support
> that.
>
>
>
> Lukas
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
SNI and certs.	GreenGecko	November 28, 2016 02:40PM
AW: SNI and certs.	Lukas Tribus	November 28, 2016 03:56PM
Re: SNI and certs.	jeffdyke	November 28, 2016 04:10PM
Re: SNI and certs.	Jonathan Vanasco	November 30, 2016 02:32PM
Re: SNI and certs.	GreenGecko	November 30, 2016 05:12PM
Re: SNI and certs.	Jonathan Vanasco	December 01, 2016 04:34PM
RE: SNI and certs.	Reinis Rozitis	December 04, 2016 11:04AM
Re: SNI and certs.	Jonathan Vanasco	December 04, 2016 04:14PM
Re: AW: SNI and certs.	GreenGecko	November 28, 2016 07:48PM
AW: AW: SNI and certs.	Lukas Tribus	November 29, 2016 03:30AM
Re: AW: SNI and certs.	Richard Stanway	November 29, 2016 02:32PM
Re: AW: AW: SNI and certs.	GreenGecko	November 29, 2016 02:40PM
AW: AW: AW: SNI and certs.	Lukas Tribus	November 29, 2016 03:18PM
Re: AW: AW: AW: SNI and certs.	GreenGecko	November 29, 2016 04:28PM
AW: AW: AW: AW: SNI and certs.	Lukas Tribus	November 29, 2016 05:28PM
Re: AW: AW: AW: AW: SNI and certs.	itpp2012	November 30, 2016 01:39PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 298

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018