Welcome! Log In Create A New Profile

Advanced

Re: ssl, (no) default and sni

Previous Message Next Message
Forum List Message List New Topic Print View
Maxim Dounin
December 02, 2009 06:08AM
Hello!

On Wed, Dec 02, 2009 at 01:41:51PM +0300, Igor Sysoev wrote:

> On Wed, Dec 02, 2009 at 01:33:00PM +0300, Maxim Dounin wrote:
>
> > Hello!
> >
> > On Wed, Dec 02, 2009 at 01:15:11PM +0300, Igor Sysoev wrote:
> >
> > > On Wed, Dec 02, 2009 at 04:20:14AM -0500, GerMalaz wrote:
> > >
> > > > Any chance to allow
> > > >
> > > > listen 443 ssl;
> > > >
> > > > this is, NO "default", if SNI is available?
> > >
> > > I do not understand what do you want to reach, but since 0.8.21 nginx
> > > allows to set listen socket options and features not in default server:
> > >
> > > server {
> > > listen 443 ssl;
> > > server_name name;
> > > }
> > >
> > > server {
> > > listen 443 default_server;
> > > server_name _;
> > > }
> >
> > BTW, the problem with listen ... ssl that bugs me is that one
> > can't do something like this:
> >
> > server {
> > listen 8443 ssl;
> > server_name x;
> > }
> > server {
> > listen 8443 ssl;
> > server_name y;
> > }
> >
> > We use distinct ips in production, but on testing server there is
> > only 1 ip available and our configuration flattens to something
> > like the above. So we have to use separate ssl servers and
> > activate ssl via ssl on; instead.
>
> Yuo may use
>
> server {
> listen 8443 ssl;
> server_name x;
> }
> server {
> listen 8443;
> server_name y;
> }
>
> Think of the "ssl" flag as a socket option (although it's not), because
> you can not do non-SSL request on SSL enabled port.

Yes, I understand. The problem is that config is generated from
template like this:

server {
listen %ip1%:8443 ssl;
server_name x;
}
server {
listen %ip2%:8443 ssl;
server_name y;
}

It works for ip1 != ip2 case, but fails when ip1 == ip2. Using
instead

server {
listen %ip1%:8443;
server_name x;
ssl on;
}
server {
listen %ip2%:8443;
server_name y;
ssl on;
}

works ok in both cases (ip1 == ip2, ip1 != ip2).

I'm not sure we want to fix it, but probably only cheking for
conflicts is a good idea.

Maxim Dounin

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

ssl, (no) default and sni

GerMalaz December 02, 2009 04:20AM

Re: ssl, (no) default and sni

Igor Sysoev December 02, 2009 05:22AM

Re: ssl, (no) default and sni

Maxim Dounin December 02, 2009 05:36AM

Re: ssl, (no) default and sni

Igor Sysoev December 02, 2009 05:48AM

Re: ssl, (no) default and sni

Maxim Dounin December 02, 2009 06:08AM

Re: ssl, (no) default and sni

GerMalaz December 02, 2009 01:43PM

Re: ssl, (no) default and sni

Igor Sysoev December 03, 2009 02:30AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 180
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready