9
5
I have an nginx and different subdomains:
a.mydomain.com
b.mydomain.com
c.mydomain.com
Nginx has 4 rules:
1) rewrite rule:
server {
listen 80
server_name gl.udesk.org;
root /nowhere;
rewrite ^ https://a.mydomain.com$request_uri permanent;
}
2) https rule:
server {
listen 443;
server_name a.mydomain.com;
root /home/a/a/public;
ssl on;
ssl_certificate conf.d/ssl/a.crt;
ssl_certificate_key conf.d/ssl/a.key;
ssl_protocols ...
ssl_ciphers ...
ssl_prefer_server_ciphers on;
location ...
}
3) http default rule:
server {
listen 80 default_server;
return 444;
}
4) https default rule:
server {
listen 443 default_server;
return 444;
}
So if I start nginx and:
- if I go in the browser to http://a.mydomain.com it redirects to https://a.mydomain.com and then it returns an Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
- if I go in the browser to https://b.mydomain.com I expect that it returns Error 444 back. But instead it returns the same Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
- and so for all registered by the DNS provider CNAMEs (i.e. a,b,c)
- all the http-versions (e.g. rule 3 - ) working as expected:
- http://a.mydomain.com redirects to the https:// version,
- http://b.mydomain.com and http://c.mydomain.com are returning an Error 444 back as configured.
So why the https rules in nginx are so tricky to configure and how should I configure them properly to get the same behavior as with http version?
Update:
Creating a new certificate and adding:
ssl on;
ssl_certificate conf.d/ssl/default.crt;
ssl_certificate_key conf.d/ssl/default.key;
works now, but I would have a solution without any SSL certificate needed. Just reset all connections for all https (port 443) subdomains except https://a.mydomain.com without providing a certificate.
2You can't. SSL requires a certificate before the web server knows what domain you want. It has to have a certificate to send, or it can't establish the connection to talk to the client. – Darth Android – 2013-06-27T03:17:24.657
2
@DarthAndroid: The magic is called SNI - http://en.wikipedia.org/wiki/Server_Name_Indication.
– Shi – 2013-07-23T23:51:29.920@Shi I'm aware of SNI - That allows the webserver to pick which certificate to send, but it still must pick a certificate.
nginx
isn't smart enough to realize that it doesn't need a certificate for what the user wants to do. – Darth Android – 2013-07-24T14:35:40.670