Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to configure NGINX SSL (SNI)

Tags:

nginx

ssl

I have this NGINX configuration as follows:

  # jelastic is a wildcard certificate for *.shared-hosting.xyz
  server {
      listen 443;
      server_name _;
  
      ssl on;
      ssl_certificate /var/lib/jelastic/SSL/jelastic.chain;
      ssl_certificate_key /var/lib/jelastic/SSL/jelastic.key;
  }
  
  # fullchain2 is a certificate for custom domain
  server {
      listen 443 ssl;
      server_name my-custom-domain-demo.xyz www.my-custom-domain-demo.com;
      ssl_certificate /var/lib/nginx/ssl/my-custom-domain-demo.xyz/fullchain2.pem;
      ssl_certificate_key /var/lib/nginx/ssl/my-custom-domain-demo.xyz/privkey2.pem;
  }
  # additional configuration for other custom domains follows

The NGINX server receives requests with host having a pattern like of *.shared-hosting.xyz, e.g. website1.shared-hosting.xyz, website2.shared-hosting.xyz and also with variable hosts having different domains like my-custom-domain-demo.xyz or another-custom-domain-demo.xyz etc.

Now the problem is the lower server NGINX configuration overrides the upper configuration. Having it, the upper does not work anymore, and accessing *.shared-hosting.xyz returns certificate error, and browser is telling the certificate is for my-custom-domain-demo.xyz only.

What can be done with this such that the lower NGINX config triggers for *.shared-hosting.xyz domains and every other additional server configuration will not trigger when host is in the pattern of *.shared-hosting.xyz?

like image 510
quarks Avatar asked Apr 08 '17 04:04

quarks


1 Answers

The server_name _; is irrelevant (and is not required in modern versions of nginx). If a server with a matching listen and server_name cannot be found, nginx will use the default server.

In the absence of a default_server suffix to the listen directive, nginx will use the first server block with a matching listen.

If your configurations are spread across multiple files, there evaluation order will be ambiguous, so you need to mark the default server explicitly.

Try this for the jelastic server block:

server {
    listen 443 ssl default_server;

    ssl_certificate /var/lib/jelastic/SSL/jelastic.chain;
    ssl_certificate_key /var/lib/jelastic/SSL/jelastic.key;
    ...
}

See this document for more.

like image 63
Richard Smith Avatar answered Oct 31 '22 12:10

Richard Smith