Ssl/non-ssl

I have two php sites running, site1 under ssl and site2 is not.

site1 redirects all port 80 traffic to port 443. i have noticed
however if i try to access site2 using https, it will serve site1…
is there a way to redirect all attempts to access site2 via port 443
back to port 80?

i tried just adding a rule to redirect all site2 traffic from port 443
to 80 like so but it didn’t work:

server {
listen 80;
server_name site1.com;
rewrite ^/(.*) https://site1.com/$1 permanent;
}

server {
listen 443;
server_name site1.com;
}

server {
listen 80;
server_name site2.com;
}

server {
listen 443;
server_name site2.com;
rewrite ^/(.*) http://site2.com/$1 permanent;
}

On Thu, Jun 19, 2008 at 11:47:33PM -0400, jeff emminger wrote:

server {
listen 80;
server_name site2.com;
}

server {
listen 443;
server_name site2.com;
rewrite ^/(.*) http://site2.com/$1 permanent;
}

http://marc.info/?l=nginx&m=120992171505688

http://marc.info/?l=nginx&m=120992171505688

are you saying it’s not possible? keep in mind that i don’t want to
use ssl for site2… i’m trying to prevent access to site2 via ssl, i
only want site2 to be non-ssl.

On Fri, Jun 20, 2008 at 10:59:23AM -0400, jeff emminger wrote:

http://marc.info/?l=nginx&m=120992171505688

are you saying it’s not possible?

You has to run site2 on other IP.

On Fri, Jun 20, 2008 at 10:59:23AM -0400, jeff emminger wrote:

http://marc.info/?l=nginx&m=120992171505688

are you saying it’s not possible?

Yes, until SNI will be common.

keep in mind that i don’t want to
use ssl for site2… i’m trying to prevent access to site2 via ssl, i
only want site2 to be non-ssl.

Anyway, if you want to run redirect from https://site2, you has to make
it.

Igor S. wrote:

I’m just going some testing right now - however, I reckon that SNI is
commonly supported now. I would guess that penetration of FF2+ IE7
(vista) is >50% on my sites and growing. Sure that’s not enough to
gamble a whole business strategy on, but that’s plenty enough support to
start supporting in my opinion (hey how many people are primarily
supporting only FF on their sites and paying only lipservice to IE
anyway…)

Also it seems that using subjectAltName on the certificate is another
route for sites where you have a known and reasonably fixed number of
domain names (not sure how many CAs will sign these though?)

Ed W

On Fri, Jun 20, 2008 at 05:28:06PM +0100, Ed W wrote:

Yes, until SNI will be common.

I’m just going some testing right now - however, I reckon that SNI is
commonly supported now. I would guess that penetration of FF2+ IE7
(vista) is >50% on my sites and growing.

50% does not mean 99%. For example, in Russian part of Internet
IE6 still does 34% requests and XP does 82%:

http://www.liveinternet.ru/stat/ru/browsers.html
http://www.liveinternet.ru/stat/ru/oses.html

Sure that’s not enough to
gamble a whole business strategy on, but that’s plenty enough support to
start supporting in my opinion (hey how many people are primarily
supporting only FF on their sites and paying only lipservice to IE
anyway…)

nginx supports SNI. You only have to build/install OpenSSL with SNI
support
and rebuild nginx against it.

Also it seems that using subjectAltName on the certificate is another
route for sites where you have a known and reasonably fixed number of
domain names (not sure how many CAs will sign these though?)

Yes, there are options like wildcard certificates and subjectAltName,
but they require special handling and planning. There are still
no easy way to use name-based SSL virtual hosts.