in my setup Nginx is a load balancer to many different services, some
of them are using SSL (so Nginx is also SSL terminator in this case).
I have many different IPs and for every IP it happen to be more than
one domain (of course only in non-SSL situation).
So I am using virtual hosts heavily with http and since my backends
rely on Host header from user (it has to be correct) I have catch-all
section for not matching server_names. Something like this
… (many different server sections with different server_names) …
But this technique simply does not work for SSL. As far I understand
correctly there are two techniques to cope with my problem (to prevent
https request with non-matching Host header to be served):
using if
server {
listen IP3:443 ssl default_server;
server_name some_host.com;
https request with non-matching Host header to be served):
It should work (at least passes nginx -t in my test).
…
return 444;
}
Nothing weird or complicated in this one. It’s the preferred method
but you need to specify ssl_certificate parameters on each server
blocks. I’m not sure how it behaves on non-SNI environment though.
Alternatively you can force passing some_host.com as the Host header
to your proxy:
correctly there are two techniques to cope with my problem (to prevent
https request with non-matching Host header to be served):
It should work (at least passes nginx -t in my test).
You mean soultion no. 1 (the one with if in server block, which you -
maybe accidentally - cut off)?
…
return 444;
}
Nothing weird or complicated in this one. It’s the preferred method
but you need to specify ssl_certificate parameters on each server
blocks. I’m not sure how it behaves on non-SNI environment though.
By writing ‘weird’ I meant that ssl configuration is not in one place
(in the server_name with corresponding server_name) but instead in
some weird ‘server_name _’ block which maybe confusing for some
non-experienced Nginx config writers
Performance wisely - is 1 and 3 imperceptible?
Alternatively you can force passing some_host.com as the Host header
to your proxy:
proxy_set_header Host some_host.com
No, this is not exactly what I want because:
a) it does not work when I have server_name like *.some_host.com (of
course in combination with some wildcard certificate)
b) it tells backend that user came with some_host.com which is not true
Thanks for your help.
Cheers,
–
Kamil
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.