Unexpected SSL Behavior with Virtual Hosts

Detlef_R · May 15, 2014, 2:02am

Sorry for posting this twice. I posted it in the “How to” forum last
week,
there haven’t been any replies, so I thought I’d try again.

I’m using nginx for multiple virtual hosts on the same physical server.
The
issue I’m having is that a browser request for https://www.domain1.org/
is
being answered with a certificate for a different domain. Here’s what
the
slices from my config files look like:

domain1.conf: (note that there’s no listen directive for port 443)
server {
listen 80;
server_name domain1.org www.domain1.org domain1.com www.domain1.com
domain1.net www.domain1.net domain1.us www.domain1.us domain1.info
www.domain1.info;
root /home/domain1/public_html;

more stuff

}

domain2.conf:
server {
listen 80;

server_name domain2 www.domain2;
root /home/domain2/public_html;

more stuff

}

server { ## SSL config for domain2
listen 443 ssl;

ssl_certificate /etc/ssl/certs/domain2-chained.crt;
ssl_certificate_key /etc/ssl/private/domain2.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;

server_name domain2 www.domain2;
root /home/domain2/public_html;

more stuff

}

server {
listen 80;

server_name domain3 www.domain3;
root /var/www;

access_log /var/log/nginx/access-domain3.log;
error_log /var/log/nginx/error-domain3.log;

return 301 https://$host$request_uri;
}

server { ## SSL config for domain3
listen 443 ssl;

ssl_certificate /etc/ssl/certs/domain3-chained.crt;
ssl_certificate_key /etc/ssl/private/server.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;

root /var/www;
index index.php index.html index.htm;

access_log /var/log/nginx/access-domain3-ssl.log;
error_log /var/log/nginx/error-domain3-ssl.log;
rewrite_log on;

server_name www.domain3 domain3;

more stuff

}

A browser request for https://www.domain1.org/ returns the certificate
for
domain 2 and the content found in the root for domain2. Why is that and
how
can I get the server to redirect to http://www.domain1.org/ instead?
Thank
you…

Posted at Nginx Forum:

SAH62 · May 15, 2014, 2:27am

Hi!
On Wed, 2014-05-14 at 20:01 -0400, SAH62 wrote:

listen 80;
listen 80;
ssl_certificate /etc/ssl/certs/domain2-chained.crt;

more stuff

ssl_protocols SSLv3 TLSv1;
server_name www.domain3 domain3;

more stuff

}

A browser request for https://www.domain1.org/ returns the certificate for
domain 2 and the content found in the root for domain2. Why is that and how
can I get the server to redirect to http://www.domain1.org/ instead? Thank
you…

If you don’t specify a default browser for https, then it uses the first
one it comes across. You have to specifically redirect domain1 https to
http: - this may require a valid cert for domain 1…

server {
listen 443 ssl;
server_name domain1.com www.domain1.com;

ssl_certificate domain1.com.crt;
ssl_certificate_key domain1.com.key;

return 301 http://domain1.com$request_uri;
}

BTW I find that combining http and https: stuff for server definitions
to be much simpler. I also dump as much of the SSL settings as possible
in the http {} block. Both of these approaches make a setup that I find
simpler to administer.

hth,

Steve

Steve H. BSc(Hons) MIITP

Linkedin: http://www.linkedin.com/in/steveholdoway
Skype: sholdowa

SAH62 · May 15, 2014, 11:59am

On 15 May 2014, at 04:01, SAH62 [email protected] wrote:

listen 80;
listen 80;
ssl_certificate /etc/ssl/certs/domain2-chained.crt;

more stuff

ssl_protocols SSLv3 TLSv1;
server_name www.domain3 domain3;

more stuff

}

A browser request for https://www.domain1.org/ returns the certificate for
domain 2 and the content found in the root for domain2. Why is that and how
can I get the server to redirect to http://www.domain1.org/ instead? Thank
you

http://nginx.org/en/docs/http/configuring_https_servers.html#name_based_https_servers

–
Igor S.

SAH62 · May 16, 2014, 3:42pm

Hello!

On Fri, May 16, 2014 at 09:37:12AM -0400, SAH62 wrote:

issue I’m having is that a browser request for
www.domain1.info;
root /home/domain2/public_html;
ssl_session_timeout 10m;

}
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;

Configuring HTTPS servers
d_https_servers

OK, that explains why nginx returns the default certificate. It’s listening
on 443, it gets a request, and it doesn’t know which domain the HTTP request
is for so it responds with the default certificate. Why is it sending back
the content for domain2, though?

Because it’s the default server for the listening socket on port
443. See here for details:

http://nginx.org/en/docs/http/request_processing.html

–
Maxim D.
http://nginx.org/

SAH62 · May 16, 2014, 3:37pm

Igor S. Wrote:

being answered with a certificate for a different domain. Here’s

more stuff

ssl_ciphers
listen 80;
server { ## SSL config for domain3

}
d_https_servers
OK, that explains why nginx returns the default certificate. It’s
listening
on 443, it gets a request, and it doesn’t know which domain the HTTP
request
is for so it responds with the default certificate. Why is it sending
back
the content for domain2, though?

Scott

Posted at Nginx Forum: