Multiple SSL certificates

thomas · October 21, 2008, 5:37pm

Here is the output:

2008/10/21 17:31:53 [info] 12626#0: the configuration file
/usr/local/nginx/conf/nginx.conf syntax is ok
2008/10/21 17:31:53 [info] 12626#0: the configuration file
/usr/local/nginx/conf/nginx.conf was tested successfully

Everything looks fine.

However it could the problem of IP not being configured on the host. I
did it once, and it block my connection to the server. Hopefully, I
could ssh into the VM hypervisor and then open a console and get
access to the server to remove the IP configuration.

thomas · October 21, 2008, 5:04pm

On Tue, Oct 21, 2008 at 04:39:04PM +0200, Thomas wrote:

But when I specify an IP address in listen, it doesn’t work.

You should use

 server {
     listen  www.digiprof.fr:443;

     ssl on;
     ssl_certificate       /path/to/www.digiprof.fr.cert;
     ssl_certificate_key   /path/to/www.digiprof.fr.key;

     ...
 }

 server {
     listen  www.digiprof.eu:443;

     ssl on;
     ssl_certificate       /path/to/www.digiprof.eu.cert;
     ssl_certificate_key   /path/to/www.digiprof.eu.key;

     ...
 }

thomas · October 21, 2008, 5:44pm

I have changed my config files, http works, but now https doesn’t work
anymore, firefox can’t make the connection.

Maybe,443 port is closing.

openssl s_client -connect www.digiprof.eu:443

socket: Connection refused
connect:errno=29

openssl s_client -connect www.digiprof.fr:443

socket: Connection refused
connect:errno=29

Copy and paste all of your nginx.conf.

thomas · October 21, 2008, 5:47pm

On Tue, Oct 21, 2008 at 05:31:06PM +0200, Thomas wrote:

However it could the problem of IP not being configured on the host. I
did it once, and it block my connection to the server. Hopefully, I
could ssh into the VM hypervisor and then open a console and get
access to the server to remove the IP configuration.

It seems that IPs are configured right:

telnet www.digiprof.fr 80
Trying 91.121.77.156…
Connected to digiprof.fr.
Escape character is ‘^]’.

telnet www.digiprof.eu 80
Trying 91.121.43.156…
Connected to digiprof.eu.
Escape character is ‘^]’.

However, for some reason nginx does not listen on 443:

telnet www.digiprof.fr 443
Trying 91.121.77.156…
telnet: connect to address 91.121.77.156: Connection refused
telnet: Unable to connect to remote host

telnet www.digiprof.eu 443
Trying 91.121.43.156…
telnet: connect to address 91.121.43.156: Connection refused
telnet: Unable to connect to remote host

Could you show the listen directives in config ?

thomas · October 21, 2008, 6:07pm

Port 443 is forwarded from my hypervisor to the Nginx VM. Everything
works fine if I remove the IP in the listen. It’s a pretty basic
configuration of Nginx I guess.

nginx.conf:

/usr/local/nginx/conf/nginx.conf

user thomas;
worker_processes 1;

events {
worker_connections 1024;
}

http {
include mime.types;
default_type application/octet-stream;

set sendfile to off on OsX

sendfile on;
tcp_nopush on;
keepalive_timeout 65;

Hide Nginx version number header

server_tokens off;

log_format main '$remote_addr [$time_local] ’
'$http_host “$request” $status $body_bytes_sent
“$http_referer” ’
‘“$http_user_agent” “$http_x_forwarded_for”’;

log_format traffic ‘$http_host $body_bytes_sent’;

gzip on;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_proxied any;
gzip_types text/plain text/html text/css
application/x-javascript text/xml application/xml application/xml+rss
text/javascript;

ignore_invalid_headers on;

include /usr/local/nginx/conf/main.conf;
include /usr/local/nginx/conf/webcit.conf;
} # End of http

main.conf:

upstream main {
server 10.0.0.2:3100 weight=2;
server 10.0.0.2:3101;
}

server {
listen 80 default;
server_name _;
access_log /usr/local/nginx/logs/phishing_attemps.log main;

Let’s rewrite any mysite.com to www.mysite.com in a global catch-all

way.
if ($host !~* www.(.)) {
rewrite ^(.) http://www.$host$1 permanent;
}

return 404;
}

server {
listen 80;
server_name www.digiprof.fr;

set $limit_rate 130k;

Let’s set some vars to be DRY

#set $nginx_path /usr/local/nginx/logs;
set $rails_path /home/thomas/rails_apps;

access_log /usr/local/nginx/logs/traffic.log traffic;
access_log /usr/local/nginx/logs/access.main.log main;
error_log /usr/local/nginx/logs/error.main.log notice;

location / {
root $rails_path//public/$host;

proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;

if (-f $request_filename) {
break;
}

if (-f $request_filename/index.html) {
rewrite (.*) $1/index.html break;
}

if (-f $request_filename.html) {
rewrite (.*) $1.html break;
}

if (!-f $request_filename) {
proxy_pass http://main;
break;
}
} # End of the location /

error_page 500 502 503 504 /50x.html;
location = /50x.html {
root $rails_path/public/$host;
} # End of /50x location

} # End of server

server {
listen www.digiprof.fr:443;
server_name www.digiprof.fr;

ssl on;
ssl_certificate
/usr/local/nginx/conf/ssl_certificates/www.digiprof.fr.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl_certificates/server.key;
keepalive_timeout 70; # reduce server load

set $rails_path /home/thomas/rails_apps;

location / {

Compulsory for HTTPS

proxy_set_header X_FORWARDED_PROTO https;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;

root $rails_path/public/$host;

Compulsory for serving relatively linked images and stylesheets

if (!-f $request_filename) {
proxy_pass http://main;
break;
}
} # End of location /
} # End of server 443

webcit.conf:

upstream webcit {
server 10.0.0.4:2000;
}

server {
listen 80;
server_name www.digiprof.eu;
rewrite ^(.*) https://$host$1 permanent;
}

server {
listen www.digiprof.eu:443;
server_name www.digiprof.eu;

ssl on;
ssl_certificate
/usr/local/nginx/conf/ssl_certificates/self_signed.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl_certificates/server.key;
keepalive_timeout 70; # reduce server load

location / {
proxy_set_header X_FORWARDED_PROTO https;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;

proxy_pass http://webcit;
}
}

thomas · October 21, 2008, 11:27pm

Yup - that is most likely because inside your VM container, the real
IPs for www.digiprof.eu and www.digiprof.fr are not bound. You
mentioned before that this VM only had access to an internal nat, so
the only IP’s that could be bound were 10.0.0.0/8s. Is this correct ?

If so, you will have to port forward both IPs to SEPERATE NAT’ed IPs
in the 10.0.0.0/8 range, then configure separate VIPs inside your
virtualized OS to listen on those VIPs, then use those VIPs in place
of the real IPs in your nginx config.

Are you able to do your testing on a machine with real IP’s rather
than a virtualized container, as the configuration of your container,
not nginx, has been most of the meat of this discussion ?

Cheers

Dave

thomas · October 22, 2008, 12:45am

You know what Dave, running my application using a virtual machine
with each component running in its own VM has been a real pain in the
butt, it is still now, and it will certainly be in the future.

I’m only seeing drawbacks and no advantages.

I’m fed up for today and its getting late in my timezone. Tomorrow
I’ll install Nginx directly in the supervisor domain as it will have
direct access to the IPs ready to be bound.

Thanks for your assistance.

thomas · October 21, 2008, 6:35pm

Hi Igor,

I have now reverted back to the working config. So now if you go to
https://www.digiprof.fr/login in your browser, you will see the signup
page and:

telnet www.digiprof.fr 443
openssl s_client -connect www.digiprof.fr:443

thomas · October 22, 2008, 2:17pm

Yeah! I finally managed to configure Nginx to handle multiple SSL
certificates. It is exactly as Dave said, I had to forward the IPs to
my nginx VM, and it was not related to Nginx.

Thank you very much for your assistance.