On Sun, Jan 11, 2009 at 6:29 AM, James Riley <lis...@ruby-forum.com> wrote:
* For the domains on port 443, why are they following the first server
block that is listening to that port, ignoring the fact that the domain
is not listen in 'server_name'?
I had the same issue; although I thought it was due to maybe the load
balancing in front of my server. I thought name-based SSL was usable
by now, and I thought I had my cert wrong :)
When looking at the nginx debug log, it seems to negotiate the SSL
conversation first, and then it gets the Host: header after. So it
made sense. however, to get the SSL conversation properly processed it
has to be the right SSL cert; typically SSL requires one IP per cert,
but I believe you can do name-based SSL now. However I don't think
it's supported enough...
"Server Name Indication (SNI), as described in section 3.1 of the
RFC3546, is a TLS extension which makes the configuration of
SSL-enabled name-based virtual hosts possible." [1]
It does appear that the SSL gods have wisened up - no more wasting
IPs, hopefully, and with a new protocol/extensions to existing ones it
may be possible. I haven't found out yet browser compatibility/etc,
and then of course I don't think nginx supports it yet. However, if it
does have wide compatibility, this would definately be something to
request for nginx (I could use it right now!)
[1] for example,
http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-hosts-with-mod_gnutls/
10 messages in ru.sysoev.nginxRe: Wrong Vhost being followed when u...
