Comments (3)
AD7six
commented on May 18, 2024
That's more a question for nginx support (their irc room or forum) however I can give you an answer:
From wikipedia:
Server Name Indication (SNI) is an extension to the TLS protocol[1] that indicates what hostname the client is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and port number and hence allows multiple secure (HTTPS) websites (or any other Service over TLS) to be served off the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 virtual hosting for HTTPS.
As I understand it when initiating a https request, the host name isn't known - it's only connecting to an ip address and hence, without SNI, the webserver doesn't know which certificate to serve up and therefore will use the default.
If I have Site A with SSL and Site B without SSL. I would usually add the SSL directives to the site specific configuration. So the Site A would have have those certificate directives, while the Site B won't.
If you only have one domain with SSL - SNI isn't a factor as there is only one domain using that IP address with https.
if I set the default certificates to site A's certificates, won't that mean when somebody accesses site B they may get site A's certificates?
In your example Site B doesn't have https - so the request would just fail. If however Site B did use https - yes that's exactly what would happen iff the client does not support SNI.
In what situation would anybody want to have a default certificate unless it was a multi domain wildcard certificate?
If you're using https you should I think always set a default - because the default certificate is by ip address, not hostname.
Also the keepalive_timeout should be optimised to 70 for ssl certificates right?
I don't think so this might give you some perspective on that.
from server-configs-nginx.
CMCDragonkai
commented on May 18, 2024
You mentioned that the default certificate is by ip address. Are you referring to the SSL certificate? When I bought a SSL cert, it was by hostname.
from server-configs-nginx.
AD7six
commented on May 18, 2024
Of course the certificate was purchased for a hostname - but establishing a secure connection to a server is by IP address.
If you need further nginx help, please use an appropriate place or since the question isn't actually nginx specific e.g. stackoverflow.
from server-configs-nginx.
Related Issues (20)
- Content-type header is missing for VTT files HOT 2
- Dependabot couldn't find a <anything>.yml for this project
- Stream block config suggestion? HOT 3
- Create a h5bp Nginx Dockerfile HOT 1
- Getting "HIT" in the second load only (for everybody) HOT 2
- Intermediate SSL policy docs suggest to use intermediate policy in case HOT 2
- Proxy reverse HOT 2
- `X-frame-options: Deny` or `Content-Security-Policy: frame-ancestors none` with Google Search Images HOT 3
- Compress `text/csv` MIME-typed files HOT 2
- Validate configs with Gixy? HOT 8
- Mime type `audio/x-sid` HOT 3
- How to configure php Where are the parameters for index HOT 1
- how to configure php HOT 5
- because it set multiple 'X-Frame-Options' headers HOT 1
- Optimal NGINX gzip_min_length tuned for performance? HOT 1
- NIST curves (prime256v1, secp384r1, secp521r1): still required to support Microsoft Edge and Safari? HOT 1
- Overriding X-Frame-Options for a single VHost
- CORS but with Origin map for multiple domains HOT 1
- Improve SSL/TLS grade HOT 8
- 1.25.2: nginx: [emerg] "location" directive is not allowed here in /etc/nginx/h5bp/location/security_file_access.conf:20
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from server-configs-nginx.