Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to configure NGINX SSL (SNI)

Tags:

nginx

ssl

I have this NGINX configuration as follows:

  # jelastic is a wildcard certificate for *.shared-hosting.xyz
  server {
      listen 443;
      server_name _;
  
      ssl on;
      ssl_certificate /var/lib/jelastic/SSL/jelastic.chain;
      ssl_certificate_key /var/lib/jelastic/SSL/jelastic.key;
  }
  
  # fullchain2 is a certificate for custom domain
  server {
      listen 443 ssl;
      server_name my-custom-domain-demo.xyz www.my-custom-domain-demo.com;
      ssl_certificate /var/lib/nginx/ssl/my-custom-domain-demo.xyz/fullchain2.pem;
      ssl_certificate_key /var/lib/nginx/ssl/my-custom-domain-demo.xyz/privkey2.pem;
  }
  # additional configuration for other custom domains follows

The NGINX server receives requests with host having a pattern like of *.shared-hosting.xyz, e.g. website1.shared-hosting.xyz, website2.shared-hosting.xyz and also with variable hosts having different domains like my-custom-domain-demo.xyz or another-custom-domain-demo.xyz etc.

Now the problem is the lower server NGINX configuration overrides the upper configuration. Having it, the upper does not work anymore, and accessing *.shared-hosting.xyz returns certificate error, and browser is telling the certificate is for my-custom-domain-demo.xyz only.

What can be done with this such that the lower NGINX config triggers for *.shared-hosting.xyz domains and every other additional server configuration will not trigger when host is in the pattern of *.shared-hosting.xyz?

like image 510
quarks Avatar asked Apr 08 '17 04:04

quarks

1 Answers

The server_name _; is irrelevant (and is not required in modern versions of nginx). If a server with a matching listen and server_name cannot be found, nginx will use the default server.

In the absence of a default_server suffix to the listen directive, nginx will use the first server block with a matching listen.

If your configurations are spread across multiple files, there evaluation order will be ambiguous, so you need to mark the default server explicitly.

Try this for the jelastic server block:

server {
    listen 443 ssl default_server;

    ssl_certificate /var/lib/jelastic/SSL/jelastic.chain;
    ssl_certificate_key /var/lib/jelastic/SSL/jelastic.key;
    ...
}

See this document for more.

like image 63
Richard Smith Avatar answered Oct 31 '22 12:10

Richard Smith
Sign in to Comment

Related questions

Curl is not sending client certificate
What are the steps to setup SSL to work with WCF on Azure?
Is basic auth with SSL secure enough?
NSStream SSL on used socket
How to do mutual certificate authentication with httplib2
How support multiple TrustStores in java SSL client application
2-way SSL with CherryPy
java keystore and password settings
self signed certificate in windows server
Adding a foreign server's self-signed certificate to the trusted certificates of my Tomcat
How to fix SSL - No available certificate
KeyStore error on java server: BKS not found
How to specify the key password using javax.net.ssl?
cURL as proxy, deal with HTTPS/CONNECT method
Node.js Multiple SSL Certificates
Is AWS, specifically the load balancer service affected by SSL "Heart Bleed" exploit? [closed]
How to use the SSL with multi entity on android
How come Apache HttpClient 4.4 rejects www.googleapis.com as a valid host name?
Websocket SSL connection
What are the steps to implement HTTPS with Google Cloud Containers?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!