Forum: NGINX Unexpected SSL Behavior with Virtual Hosts

2974d09ac2541e892966b762aad84943?d=identicon&s=25 SAH62 (Guest)
on 2014-05-15 02:02
(Received via mailing list)
Sorry for posting this twice. I posted it in the "How to" forum last
week,
there haven't been any replies, so I thought I'd try again.

I'm using nginx for multiple virtual hosts on the same physical server.
The
issue I'm having is that a browser request for https://www.domain1.org/
is
being answered with a certificate for a different domain. Here's what
the
slices from my config files look like:

domain1.conf: (note that there's no listen directive for port 443)
server {
listen 80;
server_name domain1.org www.domain1.org domain1.com www.domain1.com
domain1.net www.domain1.net domain1.us www.domain1.us domain1.info
www.domain1.info;
root /home/domain1/public_html;

# more stuff
}

domain2.conf:
server {
listen 80;

server_name domain2 www.domain2;
root /home/domain2/public_html;

# more stuff
}

server { ## SSL config for domain2
listen 443 ssl;

ssl_certificate /etc/ssl/certs/domain2-chained.crt;
ssl_certificate_key /etc/ssl/private/domain2.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;

server_name domain2 www.domain2;
root /home/domain2/public_html;

# more stuff
}

server {
listen 80;

server_name domain3 www.domain3;
root /var/www;

access_log /var/log/nginx/access-domain3.log;
error_log /var/log/nginx/error-domain3.log;

return 301 https://$host$request_uri;
}

server { ## SSL config for domain3
listen 443 ssl;

ssl_certificate /etc/ssl/certs/domain3-chained.crt;
ssl_certificate_key /etc/ssl/private/server.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;

root /var/www;
index index.php index.html index.htm;

access_log /var/log/nginx/access-domain3-ssl.log;
error_log /var/log/nginx/error-domain3-ssl.log;
rewrite_log on;

server_name www.domain3 domain3;

# more stuff
}

A browser request for https://www.domain1.org/ returns the certificate
for
domain 2 and the content found in the root for domain2. Why is that and
how
can I get the server to redirect to http://www.domain1.org/ instead?
Thank
you...

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,250097,250097#msg-250097
671d9faabfe3d3382be736b93fbfa1d5?d=identicon&s=25 Steve Holdoway (Guest)
on 2014-05-15 02:27
(Received via mailing list)
Hi!
On Wed, 2014-05-14 at 20:01 -0400, SAH62 wrote:
> listen 80;
> listen 80;
> ssl_certificate /etc/ssl/certs/domain2-chained.crt;
> # more stuff
>
> ssl_protocols SSLv3 TLSv1;
> server_name www.domain3 domain3;
>
> # more stuff
> }
>
> A browser request for https://www.domain1.org/ returns the certificate for
> domain 2 and the content found in the root for domain2. Why is that and how
> can I get the server to redirect to http://www.domain1.org/ instead? Thank
> you...

If you don't specify a default browser for https, then it uses the first
one it comes across. You have to specifically redirect domain1 https to
http: - this *may* require a valid cert for domain 1...

server {
  listen 443 ssl;
  server_name domain1.com www.domain1.com;

  ssl_certificate domain1.com.crt;
  ssl_certificate_key domain1.com.key;

  return 301 http://domain1.com$request_uri;
}


BTW I find that combining http and https: stuff for server definitions
to be much simpler. I also dump as much of the SSL settings as possible
in the http {} block. Both of these approaches make a setup that I find
simpler to administer.

hth,

Steve
--
Steve Holdoway BSc(Hons) MIITP
http://www.greengecko.co.nz
Linkedin: http://www.linkedin.com/in/steveholdoway
Skype: sholdowa
0f7a1240e82f744c6c607fa7081b99f7?d=identicon&s=25 Igor Sysoev (Guest)
on 2014-05-15 11:59
(Received via mailing list)
On 15 May 2014, at 04:01, SAH62 <nginx-forum@nginx.us> wrote:

> listen 80;
> listen 80;
> ssl_certificate /etc/ssl/certs/domain2-chained.crt;
> # more stuff
>
> ssl_protocols SSLv3 TLSv1;
> server_name www.domain3 domain3;
>
> # more stuff
> }
>
> A browser request for https://www.domain1.org/ returns the certificate for
> domain 2 and the content found in the root for domain2. Why is that and how
> can I get the server to redirect to http://www.domain1.org/ instead? Thank
> you

http://nginx.org/en/docs/http/configuring_https_se...


--
Igor Sysoev
http://nginx.com
2974d09ac2541e892966b762aad84943?d=identicon&s=25 SAH62 (Guest)
on 2014-05-16 15:37
(Received via mailing list)
Igor Sysoev Wrote:
-------------------------------------------------------
> > being answered with a certificate for a different domain. Here's
> >
> > # more stuff
> > ssl_ciphers
> > listen 80;
> > server { ## SSL config for domain3
> >
> > }
> d_https_servers
OK, that explains why nginx returns the default certificate. It's
listening
on 443, it gets a request, and it doesn't know which domain the HTTP
request
is for so it responds with the default certificate. Why is it sending
back
the content for domain2, though?

Scott

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,250097,250156#msg-250156
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2014-05-16 15:42
(Received via mailing list)
Hello!

On Fri, May 16, 2014 at 09:37:12AM -0400, SAH62 wrote:

> > > issue I'm having is that a browser request for
> > > www.domain1.info;
> > > root /home/domain2/public_html;
> > > ssl_session_timeout 10m;
> > >
> > > }
> > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
> > >
> >
> > http://nginx.org/en/docs/http/configuring_https_se...
> > d_https_servers
>
> OK, that explains why nginx returns the default certificate. It's listening
> on 443, it gets a request, and it doesn't know which domain the HTTP request
> is for so it responds with the default certificate. Why is it sending back
> the content for domain2, though?

Because it's the default server for the listening socket on port
443.  See here for details:

http://nginx.org/en/docs/http/request_processing.html

--
Maxim Dounin
http://nginx.org/
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.