Nginx serving the SSL certificate of another site

Question

Nginx serving the SSL certificate of another site

I serve two sites with Nginx. The first site (for example, A) has an SSL certificate, and the second site (say B) is not. Site A works great when opened on https and B via http. But when I access site B on https, nginx serves the SSL certificate and the contents of site A with domain B, which should not be.

The Nginx configuration for site A is as follows. For site B, this is just a reverse proxy for the Flask application.

server { listen 80; server_name siteA.com; return 301 https://$host$request_uri; } server { listen 443 ssl; server_name siteA.com; ssl_certificate /path/to/cert.cert ssl_certificate_key /path/to/cert_key.key; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; keepalive_timeout 70; # and then the `location /` serving static files }

I cannot understand what is wrong here.

+10

ssl nginx ssl-certificate

vivekagr 25 sept. '13 at 23:09

source share

4 answers

vivekagr · Answer 1 · 2013-09-26T08:46:35+0000

Apparently I need a dedicated IP for site A.

Quote from What exactly does “every SSL certificate requires a dedicated IP address” mean?

When securing a connection with TLS, you usually use a certificate to authenticate the server (and sometimes the client). There is one server per IP / port, so there is usually no problem for the server to choose which certificate to use. HTTPS is an exception - several different domain names can refer to the same IP address, and a client (usually a browser) connects to the same server for different domain names. The domain name is transferred to the server in the request that comes after the establishment of TLS communication. Here, where the problem arises - the web server does not know which certificate to submit. To do this, a new extension with the name SNI (server name identification) has been added to TLS. However, not all customers support it. Therefore, in general, it is recommended to have a dedicated server for each IP / port for each domain. In other words, each domain that a client can connect to using HTTPS must have its own IP address (or a different port, but this is not normal).

Nginx listened on port 443, and when the request to site B continued on https, a TLS handshake was made and a site certificate A was presented before serving the content.

sleepyhead · Answer 2 · 2017-11-01T09:47:29+0000

NGINX supports SNI, so it can serve different domains with different certificates from the same IP address. This can be done using several server blocks. NGINX fixed this at http://nginx.org/en/docs/http/configuring_https_servers.html

HTTP2 and IPv6 are important to me, so I listen to [::] and set ipv6only = off. Apparently, this parameter should be set only for the first server block, otherwise NGINX will not start.

 duplicate listen options for [::]:443

These server blocks

 server { listen [::]:443 ssl http2 ipv6only=off; server_name siteA.com www.siteA.com; ssl_certificate /path/to/certA.cert ssl_certificate_key /path/to/certA_key.key; } server { listen [::]:443 ssl http2; server_name siteB.com www.siteB.com; ssl_certificate /path/to/certB.cert ssl_certificate_key /path/to/certB_key.key; }

mrijinm · Answer 3 · 2019-10-17T08:51:37+0000

The ssl_certificate parameter should be closed with ; to get the expected result.

Also, make sure that you have followed the correct syntax in all parameters of the configuration file using the following command, and then restart or restart the service:

 sudo nginx -t

Jsonras · Answer 4 · 2016-08-21T16:41:51+0000

If you host several sites on your server and in the same Nginx configuration, if you have listen 443 ssl http2 default_server;

default_server will provide the same certificate to all domains. fixing it will fix the problem.

Following this tutorial , I skipped this part:

Note. You can have only one listening directive that includes the default_server modifier for each version of IP and a combination of ports. If you have other server blocks for these ports with the default_server parameter set, you must remove the modifier from one of the blocks.

Nginx serving the SSL certificate of another site

More articles: