How to handle multiple ssl server with nginx

3
votes

I have 2 SSL webservers that I have to handle with nginx. I also have a http server (the redirection works fine).

The redirections works well when i handle just http and https (only one ssl webserver).

The problem is, when i want to handle 2 ssl webserver:

na.test.lan for https nnm.toast.lan for https

The request for https is handled by the first server block file that redirect me on the wrong ssl webserver (maybe the first server block that listen on port 443).

Here is my ssl.conf :

server {
    listen       443;
    server_name  na.test.lan ;

    ssl                  on;
    ssl_certificate      /etc/pki/nginx/server.crt;
    ssl_certificate_key  /etc/pki/nginx/server.key;

    ssl_session_timeout  1m;

    ssl_protocols  SSLv2 SSLv3 TLSv1;
    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers   on;

    location / {
        proxy_pass https://172.17.100.200/; }
}
 server {
    listen       443;
    server_name  nnm.toast.lan ;   

    ssl                  on;
    ssl_certificate      /etc/pki/nginx/server.crt;
    ssl_certificate_key  /etc/pki/nginx/server.key;

    ssl_session_timeout  1m;

    ssl_protocols  SSLv2 SSLv3 TLSv1;
    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers   on;

    location / {
        proxy_pass https://179.60.192.3/; }
}
2
httpsslnginxhttpsserver

2 Answers

0
votes

Here is my solution, it finaly works : 

ssl_certificate      /etc/pki/nginx/server.crt;
ssl_certificate_key  /etc/pki/nginx/server.key;

HTTPS server configuration

server {
listen       443;
server_name  na.test.lan ;

ssl                  on;
ssl_session_timeout  1m;

ssl_protocols  SSLv2 SSLv3 TLSv1;
ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers   on;

location / {
    proxy_pass https://172.17.100.200/;
 }
}

server {
listen       443;
server_name  na.toast.lan ;

ssl                  on;
ssl_session_timeout  1m;

ssl_protocols  SSLv2 SSLv3 TLSv1;
ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers   on;

location / {
    proxy_pass https://172.17.201.2/;
 }
}

server {
listen       443;
server_name  na.tist.lan ;

ssl                  on;
ssl_session_timeout  1m;

ssl_protocols  SSLv2 SSLv3 TLSv1;
ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers   on;

location / {
    proxy_pass https://172.17.202.2/;
 }
}
-2
votes

You should use different IP addresses for each SSL server. That's in the nature of SSL protocol, SSL handshake must be completed in the process of establishing connection, so server has to pick SSL cert to send to client. But at this moment it doesn't know anything about Host: header, so it simply picks the first one.

UPDATE: or use SNI http://nginx.org/en/docs/http/configuring_https_servers.html#sni