Forum: NGINX SSL questions

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
44f2cff9ae9c2467fb2b342ac2e4c802?d=identicon&s=25 Adam Zell (Guest)
on 2008-11-28 22:48
(Received via mailing list)
Hello,

1) How does the following change in 0.6.34 impact existing
configurations:

    *) Feature: now the "rewrite" directive does a redirect
automatically
       if the "https://" protocol is used.

What rewrites would be affected?  For example: rewrite (.*)
https://$host$1 permanent;

2) How does nginx determine the default HTTPS server?  Setting the
default HTTP server is well defined, but it is not clear to me what
server is used if the default HTTP server does not support SSL.

Thanks,
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2008-11-28 23:48
(Received via mailing list)
Hello!

On Fri, Nov 28, 2008 at 01:41:40PM -0800, Adam Zell wrote:

> Hello,
>
> 1) How does the following change in 0.6.34 impact existing configurations:
>
>     *) Feature: now the "rewrite" directive does a redirect automatically
>        if the "https://" protocol is used.
>
> What rewrites would be affected?  For example: rewrite (.*)
> https://$host$1 permanent;

This only affects rewrites without explicit redirect or permanent
flags set, e.g

    rewrite  ^  https://example.com/;

won't do anything sensible before 0.6.34 and should be written
explicitly as

    rewrite  ^  https://example.com/  redirect;

> 2) How does nginx determine the default HTTPS server?  Setting the
> default HTTP server is well defined, but it is not clear to me what
> server is used if the default HTTP server does not support SSL.

Each server has list of listening sockets associated with it (see
http://wiki.codemongers.com/NginxHttpCoreModule#listen).  Only
servers listening on particular ip:port are used when selecting
appropriate server to serve request.  Since on given ip:port you
can either use ssl or not (but not both - by design of https
protocol) - servers without ssl support can't be selected to serve
https requests.

Maxim Dounin
44f2cff9ae9c2467fb2b342ac2e4c802?d=identicon&s=25 Adam Zell (Guest)
on 2008-11-29 00:59
(Received via mailing list)
Greetings,

<snip>
On Fri, Nov 28, 2008 at 2:41 PM, Maxim Dounin <mdounin@mdounin.ru>
wrote:
> https requests.
>
Perhaps I did not phrase this correctly.  I have an HTTP default
server such as the following:

  server {
    listen 80 default;
  }

Any HTTP request that does not match a server_name in any other
configuration block will fall back to this setting.  Now, I also have
multiple HTTPS servers all using the same wildcard certificate and
port:

ssl_certificate cert/wildcard.cert;
ssl_certificate_key cert/wildcard.key;

server {
  listen 443;
  ssl on;
  server_name foo.mydomain.com;
}

server {
  listen 443;
  ssl on;
  server_name bar.mydomain.com;
}

Suppose a request to https://baz.mydomain.com is received by nginx.
'baz.mydomain.com' will not match either of the server_name settings
for SSL, but will still be forwarded to one of the above servers.  It
is not clear to me how nginx picks which HTTPS server to forward the
request to, or what the correct response should be given that the
default server defined in the configuration does not support HTTPS.

Best,
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2008-11-29 02:29
(Received via mailing list)
Hello!

On Fri, Nov 28, 2008 at 03:50:30PM -0800, Adam Zell wrote:

> > servers listening on particular ip:port are used when selecting
>   }
>   listen 443;
> Suppose a request to https://baz.mydomain.com is received by nginx.
> 'baz.mydomain.com' will not match either of the server_name settings
> for SSL, but will still be forwarded to one of the above servers.  It
> is not clear to me how nginx picks which HTTPS server to forward the
> request to, or what the correct response should be given that the
> default server defined in the configuration does not support HTTPS.

The 'default' isn't property of server, it's property of listening
socket.  In the above configuration there is no explicit default
for listen socket *:443, so default is first one (in this case -
one in foo.mydomain.com server).

Just to be clear, here is short description of procedure nginx
uses to determine correct server to process request (not exact,
but logic to keep in mind):

1. For each request we know local ip:port pair.  For this ip:port
we select all servers that has listen on this ip:port.

2. If resulting list is empty - we select all servers that has
listen on *:port.

3. If we have only 1 server in the resulting list - we are done
(real non-virtual host case).

4. If more than one server found for the ip:port pair - it's
virtual host case.  Here server_name matching against 'Host'
header comes, with all tricky wildcards and so on.  I'll omit
details for clarity.

5. If server_name matching found something - we are done.

6. If nothing found, we use default server *for this listening
socket* - either explicitly specified using 'listen ... default'
or implicit one (i.e. configured first).

Maxim Dounin
This topic is locked and can not be replied to.