Wrong server used in SSL request

addis_a · July 10, 2013, 9:41am

Hi everyone,

I have a rather strange issue.

I have a server with 3 configured urls:

example.com (+ ssl)
shop.example.com (+ ssl)
example2.com (- ssl)

If I now open https://example2.com the server of
https://shop.example.com is used.

My config looks like this:
https://gist.github.com/apfelbox/c13a226633a7df92e3fe

Does anybody have an idea?

Thanks and Regards
Jannik Zschiesche

Jannik_Zschiesche · July 10, 2013, 9:43am

Hi,

sorry, wrong link.
Here is the correct one:

gist.github.com

https://gist.github.com/apfelbox/94c74ab9c515ee906e6b

default

server {
	listen		80 default_server;
	server_name	_;
	root		/var/www/__default__;
	index		index.php index.html;

	access_log	/var/log/nginx/default-access.log;
	error_log	/var/log/nginx/default-error.log;

	location ~ /\.  {

This file has been truncated. show original

example.com

server {
	listen		80;
	
	include sites-available/example.com.inc;
}

server {
        listen          443;

	ssl 			on;

This file has been truncated. show original

example.com.inc

server_name example.com www.example.com;
root /var/www/example.com;

access_log      /var/log/nginx/example.com-access.log;
error_log       /var/log/nginx/example.com-error.log;

if ($http_host != "www.example.com") {
    rewrite ^ http://www.example.com$request_uri permanent;
}

This file has been truncated. show original

There are more than three files. show original

Regards
Jannik

–
Mit freundlichen Grüßen
Jannik Zschiesche

Am Mittwoch, 10. Juli 2013 um 09:40 schrieb Jannik Zschiesche:

Jannik_Zschiesche · July 10, 2013, 9:55am

On 10 Jul 2013 08:41, “Jannik Zschiesche” [email protected] wrote:

If I now open https://example2.com the server of https://shop.example.comis
used.

My config looks like this:
https://gist.github.com/apfelbox/c13a226633a7df92e3fe

Does anybody have an idea?

This is due to you having only one IP listening for ssl traffic. It’s a
fundamental limitation of ssl when not used with SNI.

To fix it, you’ll need to either use more IPs and listen explicitly on
different ones for different virtual hosts, or use SNI, or use a
wildcard
(or UCC/SaN) certificate. The first fix is by far the most common for
people in your situation.

HTH,
Jonathan

Jannik_Zschiesche · July 10, 2013, 10:43am

Am Mittwoch, 10. Juli 2013 um 09:54 schrieb Jonathan M.:

This is due to you having only one IP listening for ssl traffic. It’s a
fundamental limitation of ssl when not used with SNI.
To fix it, you’ll need to either use more IPs and listen explicitly on different
ones for different virtual hosts, or use SNI, or use a wildcard (or UCC/SaN)
certificate. The first fix is by far the most common for people in your situation.
HTH,
Jonathan

Hi,

thank you both.

Actually, I have SNI enabled.

https://example.com
and
https://shop.example.com

both work correctly (so SNI works).

The issue is with the nonexistent SSL server for example2.com.
It seems, that if a SSL server for a domain is not configured, another
server is used (instead of error-ing out). Is this correct?

Jannik_Zschiesche · July 10, 2013, 10:17am

On Jul 10, 2013, at 11:40 , Jannik Zschiesche wrote:

If I now open https://example2.com the server of https://shop.example.com is
used.
Configuring HTTPS servers

Jannik_Zschiesche · July 10, 2013, 1:20pm

It seems, that if a SSL server for a domain is not configured, another
server is used (instead of error-ing out). Is this correct?

Yes, the default/first server.
The “error-ing out” (with option to proceed anyway) usually happens on
the
client side/browser which checks that the host name doesn’t match the
server
SSL certificate.

rr