Multiple ssl certs for the same IP?

I have foo.mydomain.com and bar.mydomain.com that both resolve to the
same IP, which is answered by nginx.

Now I want to add SSL support to nginx so that it’ll receive requests
over ssl 443 for both fully qualified domains while still communicating
with my backends over regular http (non-ssl).

So I will get two SSL certificates - one for foo.mydomain.com and the
other for bar.mydomain.com. However according to the config file the
SSL settings for the key files are defined at the “server”
declaration-block level. And in my case I have just one “server” block
that is used for both foo.mydomain.com and bar.mydomain.com.

So my question is regarding these such settings:
ssl on;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;

How can I tell nginx to use the pem and keyfiles for foo.mydomain.com
AND bar.mydomain.com when the same “server” is listening for both FQDN
domains (remember, both FQDN’s resolve to the same IP and it will stay
that way for some time to come. Over time I may split these out).

Also it may be important to mention that I am NOT doing anything with
virtual servers or host headers. Rather, nginx routes the requests for
both FQDNs solely by using the nginx “location” directive to serve
content based on the path to the requested file.

So in summary, I get some requests like this:
http://foo.mydomain.com/some/path/file.gif
and
http://bar.mydomain.com/some/other/path/file.htm

and bar and foo resolve to the same IP and nginx serves both based on
that IP and location matches, in some cases passing requests to upstream
servers and in other cases serving the content itself. And now I need
to add SSL support using two signed certificates and have nginx use the
correct one when requests come in. I hope I have explained this ok!

Thanks!!

  ____________________________________________________________________________________

Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now.
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

As far as I know, you will need a wildcard certificate (*.mydomain.com).
There is a chicken-and-egg problem in that nginx needs to see the
request
URL before deciding which cert to use in the handshake. However, nginx
cannot see the URL until the handshake has been completed. See
http://wiki.apache.org/httpd/NameBasedSSLVHosts for more details.

On Sun, May 04, 2008 at 09:54:41AM -0700, Rt Ibmer wrote:

How can I tell nginx to use the pem and keyfiles for foo.mydomain.com AND bar.mydomain.com when the same “server” is listening for both FQDN domains (remember, both FQDN’s resolve to the same IP and it will stay that way for some time to come. Over time I may split these out).

AFAIK this is impossible without some new (and not widely supported)
extensions to the SSL protocol. Please remember that the SSL negotiation
takes place before nginx can read the headers (which contain vhost
information). The extensions are described in RFC 4366.

You can specify several server blocks with the same listen ip:port
directive but it won’t help you a bit with https, actually.

Nginx will use the certificate from the first server block configured to
listen on each IP address (well, maybe not the first, but only from a
single
one, for reasons outlined above).

Your best bet would be to get a wildcard certificate for *.mydomain.com.

Best regards,
Grzegorz N.

On Sun, May 04, 2008 at 11:07:32PM +0100, Ed W wrote:

extensions to the SSL protocol.

I heard it’s coming in Firefox3?

(Probably IE won’t support it for another decade though…)

This extension is called SNI. It supported by IE7, but only under Vista,
and I’m not sure will MS add these crypto DLLs in XP. Also SNI is
supported
by Opera8 and Firefox2. To support SNI from nginx side OpenSSL-0.9.9
is required, that is currently in developing stage.

This extension is called SNI. It supported by IE7, but only under Vista,
and I’m not sure will MS add these crypto DLLs in XP. Also SNI is supported
by Opera8 and Firefox2. To support SNI from nginx side OpenSSL-0.9.9
is required, that is currently in developing stage.

It appears that SNI support has been backported to at least OpenSSL
0.9.8g ? You need to specify --enable-tlsext when building openssl

What else is required on the nginx side in order to test TLS upgrades?
Does someone have a sample config showing this working on some web
browser?

Cheers

Ed W

Grzegorz N. wrote:

On Sun, May 04, 2008 at 09:54:41AM -0700, Rt Ibmer wrote:

How can I tell nginx to use the pem and keyfiles for foo.mydomain.com AND bar.mydomain.com when the same “server” is listening for both FQDN domains (remember, both FQDN’s resolve to the same IP and it will stay that way for some time to come. Over time I may split these out).

AFAIK this is impossible without some new (and not widely supported)
extensions to the SSL protocol.

I heard it’s coming in Firefox3?

(Probably IE won’t support it for another decade though…)

Ed W

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs