SSL Questions

alanwatts · February 18, 2009, 8:06am

Good day one and all. I would like to ask some specific SSL questions
that
I am sure will be easy enough.
SSL has the requirement that only certificate can be loaded per IP
address.

With that in mind can nginx handle hosting multiple virtual host SSL
sites
all listening to on IP’s?

And can I accept a “https://myhost.com/” and then load balance (proxy)
that
internally to normal “http://” backends?

Thanks

a

alanwatts · February 18, 2009, 2:58pm

Hello Alan,

Alan W. wrote:

that internally to normal “http://” backends?
I’ve only been testing out nginx for about a week. This is my plan as
well. So far, I have this working with two IPs (one IP virtual host and
the main IP) on a couple of development systems.

Pretty easy once I read the documentation right.

I’m using an rpm for Fedora from the EPEL repository on CentOS 5. This
seems to have a few things compiled in – like SSL support – that the
nginx docs suggest are not the default compile, but which have made life
easier.

Take care,

Kurt Hansen

alanwatts · February 18, 2009, 3:06pm

On Wed, Feb 18, 2009 at 06:57:37AM +0000, Alan W. wrote:

Good day one and all. I would like to ask some specific SSL questions that
I am sure will be easy enough.
SSL has the requirement that only certificate can be loaded per IP address.

With that in mind can nginx handle hosting multiple virtual host SSL sites
all listening to on IP’s?

nginx can, but browsers would certainly not like this.

There is some workarounds, however:

http://wiki.cacert.org/wiki/VhostTaskForce

And can I accept a “https://myhost.com/” and then load balance (proxy) that
internally to normal “http://” backends?

Yes.

alanwatts · February 18, 2009, 3:37pm

On Wed, Feb 18, 2009 at 02:22:32PM +0000, Alan W. wrote:

What i meant to say, multiple IP addresses — one per SSL site.
Will browsers work with that?

Yes, of course.

alanwatts · February 18, 2009, 3:32pm

What i meant to say, multiple IP addresses — one per SSL site.
Will browsers work with that?

alanwatts · February 18, 2009, 4:07pm

Igor S. wrote:

nginx can, but browsers would certainly not like this.

There is some workarounds, however:

VhostTaskForce - CAcert Wiki
Server Name Indication - Wikipedia

I think he means multiple IPs, not just one. Though the “on IP’s” is
ambiguous. Alan could have meant one IP, and I read it the other way
because it is what I’m planning on doing.

Did you mean one IP or multiple, Alan?

Take care,

Kurt