Welcome! Log In Create A New Profile

Advanced

Re: AW: SNI and certs.

Richard Stanway
November 29, 2016 02:32PM
There's no "nice" way to handle this in nginx as far as I'm aware. I think
the best setup is a default vhost with a generic (server hostname?)
certificate, and for any bots or clients that ignore the common name
mismatch you can return the 421 Misdirected Request code.

https://httpstatuses.com/421

On Tue, Nov 29, 2016 at 9:28 AM, Lukas Tribus <luky-37@hotmail.com> wrote:

> > > Any real life experience and evidence backing this?
> > yes
>
> Care to elaborate?
>
>
>
> > Not sure why you're doubting me here Lukas. Yes, this is a problem. No
> > I'm not making it up.
>
> We know that crawlers like Googlebot try HTTPS as well, even if there is no
> https link towards the website. That is well known information and publicly
> documented.
>
> What I don't see is why and how that would be a problem, even when HTTPS
> is not properly setup for that particular domain.
>
> Does it cause warnings in the webmaster tools? Who cares?
> Does it affect your ranking? I doubt it.
> Does it index pages or error pages from the default website and assign to
> your website? I doubt that even more.
>
>
>
> > As such, an incorrect or missing cert will fail, and a missing
> > https server block will be handled by the default one ( or the one
> > alphabetically first if not set ).
>
> So serving a 403 or returning 444 from the default block should be fine.
>
>
>
> > it didn't occur to me that search engines would be attempting
> > to force https.
>
> Just because they attempt to use HTTPS doesn't mean the fail to handle
> the case where HTTPS is not properly setup for this particular website.
>
>
>
> The way to properly deal with this would be to abort the TLS handshake.
> Haproxy can do this with the strict-sni directive, but nginx does not
> support
> that.
>
>
>
> Lukas
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

SNI and certs.

GreenGecko November 28, 2016 02:40PM

AW: SNI and certs.

Lukas Tribus November 28, 2016 03:56PM

Re: SNI and certs.

jeffdyke November 28, 2016 04:10PM

Re: SNI and certs.

Jonathan Vanasco November 30, 2016 02:32PM

Re: SNI and certs.

GreenGecko November 30, 2016 05:12PM

Re: SNI and certs.

Jonathan Vanasco December 01, 2016 04:34PM

RE: SNI and certs.

Reinis Rozitis December 04, 2016 11:04AM

Re: SNI and certs.

Jonathan Vanasco December 04, 2016 04:14PM

Re: AW: SNI and certs.

GreenGecko November 28, 2016 07:48PM

AW: AW: SNI and certs.

Lukas Tribus November 29, 2016 03:30AM

Re: AW: SNI and certs.

Richard Stanway November 29, 2016 02:32PM

Re: AW: AW: SNI and certs.

GreenGecko November 29, 2016 02:40PM

AW: AW: AW: SNI and certs.

Lukas Tribus November 29, 2016 03:18PM

Re: AW: AW: AW: SNI and certs.

GreenGecko November 29, 2016 04:28PM

AW: AW: AW: AW: SNI and certs.

Lukas Tribus November 29, 2016 05:28PM

Re: AW: AW: AW: AW: SNI and certs.

itpp2012 November 30, 2016 01:39PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 82
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready