Welcome! Log In Create A New Profile

Advanced

Re: SSL server_name support, single server block plain/SSL, et al in 0.8.x ?

July 13, 2009 04:07AM
On Mon, Jul 13, 2009 at 12:17:02AM -0700, merlin corey wrote:

> Hello,
>
> I had a long chat with a user in the IRC channel about SSL in nginx.
> Initially, it started out talking about hosting multiple domains with
> SSL on the same address. They pointed me to
> http://tools.ietf.org/html/rfc4366#section-3.1 which seems fairly
> straightforward and I am curious if there is interest in this or if
> Igor plans to implement it at some point in future anyway.

nginx supports SNI since 0.5.23. You just need OpenSSL built with
SNI support. The main issue, however, are browsers: MSIE 6 and Windows XP
do not support SNI and MSIE 6 is still in use:
http://weblogs.mozillazine.org/asa/archives/2009/07/internet_explorer_6.html

> Also, through talking with him, he showed me his idea for how the SSL
> support should work. It went more or less like this:
>
> ssl_certificate /etc/ssl/custom/supercatchall.crt;
> ssl_certificate_key /etc/ssl/custom/supercatchall.key;
> server {
> listen 80;
> listen 443;
> if(port = 443) {
> ssl on;
> }
> ... normal server config ...
> }
> ... repeated for several servers apparently on same IP ...
>
> I tried to talk him out of using if and using a separate server block
> for 443 and 80 ports for each server, and just including common
> configuration. Apparently, this does not currently work, but it seems
> it should be more or less usable, I think he was having problems with
> using default ssl in the listen line and NginX would not bind multiple
> times. At any rate, he also complained about the "roundabout
> redundancy" of the config. That got me to thinking, would something
> like the following be desirable, and how difficult to implement would
> it be?
>
> server {
> listen 80;
> listen 443;
> ssl on 443;
> ... normal server config ...
> }
>
> My gut instinct tells me this would be a lot more work than simply
> allowing multiple SSL hosts per IP address, but it does seem to have a
> nice ring to it, this late in the day.
>
> So to summarize, I am curious if 0.8.x is planned to support multiple
> SSL hosts per IP, if that feature is even desired by anyone (or maybe
> other ways to do it, in case I see this problem again!), and finally
> anyone and everyone's thoughts on the above syntax to unify config for
> SSL and non SSL (you could still use separate blocks if the
> configuration is not exactly the same for plain and SSL, of course).

Since 0.7.14 you can use:

server {
listen 80;
listen 443 default ssl;
...


--
Igor Sysoev
http://sysoev.ru/en/
Subject Author Posted

SSL server_name support, single server block plain/SSL, et al in 0.8.x ?

merlin corey July 13, 2009 03:17AM

Re: SSL server_name support, single server block plain/SSL, et al in 0.8.x ?

Almir Karic July 13, 2009 03:53AM

Re: SSL server_name support, single server block plain/SSL, et al in 0.8.x ?

Denis F. Latypoff July 13, 2009 03:58AM

Re: SSL server_name support, single server block plain/SSL, et al in 0.8.x ?

Igor Sysoev July 13, 2009 04:07AM

Re: SSL server_name support, single server block plain/SSL, et al in 0.8.x ?

merlin corey July 13, 2009 08:41PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 125
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready