Setup multiple SSL servers in one config


#1

I’m in the process of trying to convert a Pound config file that manages
multiple SSL sites over to Nginx. If I just have one site setup in the
nginx.conf file then everything, including the SSL, works fine. But if I
add a second server block for a different domain, then the second tries
to use the SSL certificate for the first, resulting in the browser
raising security warnings. My conf file is below. Any hints at what I
am doing wrong would be greatly appreciated.


user wwidea;
worker_processes 1;

events {
worker_connections 1024;
}

http {
include mime.types;
default_type application/octet-stream;
passenger_root /usr/local/lib/ruby/gems/1.8/gems/passenger-2.2.2;
passenger_ruby /usr/local/bin/ruby;
passenger_max_pool_size 20;
passenger_pool_idle_time 3600;

sendfile        on;
gzip               on;
keepalive_timeout  65;

server {
    listen       443;
    server_name  www.domain1.com;
    root /var/rails/domain1/current/public;

    ssl    on;
    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect false;
    proxy_max_temp_file_size 0;
    ssl_certificate    /var/ssl-certs/domain1.cert;
    ssl_certificate_key    /var/ssl-certs/domain1.key;
    index  index.html index.htm;
    passenger_enabled on;
}

server {
    listen       443;
    server_name  www.domain2.com;
    root /var/rails/domain2/current/public;

    ssl    on;
    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect false;
    proxy_max_temp_file_size 0;
    ssl_certificate    /var/ssl-certs/domain2.cert;
    ssl_certificate_key    /var/ssl-certs/domain2.key;
    index  index.html index.htm;
    passenger_enabled on;
}

}


#2

On Mon, May 11, 2009 at 05:57:10PM -0600, Jonathan Garvin wrote:

I’m in the process of trying to convert a Pound config file that manages
multiple SSL sites over to Nginx. If I just have one site setup in the
nginx.conf file then everything, including the SSL, works fine. But if I
add a second server block for a different domain, then the second tries
to use the SSL certificate for the first, resulting in the browser
raising security warnings. My conf file is below. Any hints at what I
am doing wrong would be greatly appreciated.

http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
http://wiki.cacert.org/wiki/VhostTaskForce


#3

On Tue, May 12, 2009 at 08:54:50AM -0600, Jon G. wrote:

Thanks Igor,
Are you saying that a single instance Nginx cannot handle multiple
sites with different SSL certificates? The environment I’m trying to
emulate is working just fine with Pound right now. In other words, one
instance of pound is running on my server that handles multiple SSL
certificates for multiple live domains (working like this for several
years). Seems to me if Pound can handle the task, Nginx ought to be
able to as well. Is the only option to run Pound in front of Nginx so
that Pound can handle the SSL before passing the traffic off to Nginx?
I was hoping to eliminate Pound from the equation all together.

No, a single nginx instance can handle several SSL sites, but you need
several IP, one per each SSL host. Or you may use some workarounds as
decribed here
http://wiki.cacert.org/wiki/VhostTaskForce


#4

Thanks Igor,
Are you saying that a single instance Nginx cannot handle multiple
sites with different SSL certificates? The environment I’m trying to
emulate is working just fine with Pound right now. In other words, one
instance of pound is running on my server that handles multiple SSL
certificates for multiple live domains (working like this for several
years). Seems to me if Pound can handle the task, Nginx ought to be
able to as well. Is the only option to run Pound in front of Nginx so
that Pound can handle the SSL before passing the traffic off to Nginx?
I was hoping to eliminate Pound from the equation all together.

Igor S. wrote:

http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
http://wiki.cacert.org/wiki/VhostTaskForce

http://www.5valleys.com/

http://www.workingwithrails.com/person/8078


#5

Igor S. wrote:

able to as well. Is the only option to run Pound in front of Nginx so
that Pound can handle the SSL before passing the traffic off to Nginx?
I was hoping to eliminate Pound from the equation all together.

No, a single nginx instance can handle several SSL sites, but you need
several IP, one per each SSL host. Or you may use some workarounds as
decribed here
http://wiki.cacert.org/wiki/VhostTaskForce

Yes. we have multiple IPs. As I said this is working now with Pound.
I’m just having trouble figuring out how to configure Nginx to handle
this.

Oh, wait. I just noticed that the ‘listen’ directive can take an
address as well as a port. duh. So, my guess now is that instead of
‘listen 443’, I need to say ‘listen x.x.x.x:443’, in each server block.
right?

to use the SSL certificate for the first, resulting in the browser

http://www.5valleys.com/

http://www.workingwithrails.com/person/8078

http://www.5valleys.com/

http://www.workingwithrails.com/person/8078


#6

On Tue, May 12, 2009 at 09:45:03AM -0600, Jon G. wrote:

years). Seems to me if Pound can handle the task, Nginx ought to be

Yes. we have multiple IPs. As I said this is working now with Pound.
I’m just having trouble figuring out how to configure Nginx to handle this.

Oh, wait. I just noticed that the ‘listen’ directive can take an
address as well as a port. duh. So, my guess now is that instead of
‘listen 443’, I need to say ‘listen x.x.x.x:443’, in each server block.
right?

Yes.