On Mon, Nov 16, 2015 at 04:51:29PM +0300, Maxim Dounin wrote: > On Sun, Nov 15, 2015 at 12:51:56PM +0000, Francis Daly wrote: > > On Fri, Nov 13, 2015 at 03:37:28PM +0100, Joó Ádám wrote:
Hi there, > > > I would like to terminate TLS connections arriving at the default > > > server, only serving requests with the correct host header, relying on > > > SNI. > > If you have one ssl server that you care about, and you do not know that > > everything involved works fully with SNI, the "simple" (but inelegant) > > approach might be to just have a single server{} block with ssl on for > > this ip:port, and use > > > > if ($host != "example.com") { return 444; } > > > > there. > > There is no need to do this. With nginx server{} blocks > are selected twice: by SNI, and then by HTTP Host header. This > allows to happily use server{} blocks even when not using SNI. Thanks for the correction. I guess I should get more practice with secure web sites :-) My thinking was: if the client did not do SNI, then it would get the certificate from the default server{}, and would choose not to continue the connection as that certificate probably would not include the preferred server name. But the initial requirement assumed that only SNI clients matter; and I guess that the default certificate could easily include the "real" server name anyway, to avoid that edge case. So I was wrong on that thinking too. Cheers, f -- Francis Daly fran...@daoine.org _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx