Comments (7)
not a bad idea?
from server-configs-nginx.
It's possible, using multiple 'listen' statements in the server block, as described here: http://nginx.org/en/docs/http/configuring_https_servers.html#single_http_https_server
However, one would need a legitimate SSL cert, I would think, to be able to serve the error? The SSL handshake comes first, so I don't think it would even be possible to redirect to port 80 and then show an error. However, my knowledge in this are is probably lacking. The idea itself is a good one, though, I'll certainly vote for that.
from server-configs-nginx.
@ctessmer You're welcome =).
However until SNI support can be taken for granted, that's not a good idea. Any client without SNI would always hit the no-default server that way. See #33 for some further background.
I'm not sure of the best practice to defend against header attacks over https whilst accounting for no-SNI - You might need to account for that at the application level (host name not example.com? redirect to example.com/$request_uri).
@StephenBrown2 if there was not a legitimate ssl certificate, nginx wouldn't allow any connections over https, it would just flat out fail; more importantly though, there would be nothing to exploit making the point/purpose of this issue moot. You are right that you can't redirect from https to http without there being a server listening on https.
from server-configs-nginx.
You guys rule. Great insights. Thanks for jumping in on this.
@AD7six I thought SNI was a server thing and not a client thing? So it sounds like perhaps older browsers won't be able to hang with my SNI enabled nginx box? I might start ending all my questions with a question mark? :)
from server-configs-nginx.
@ctessmer just as a browser can't connect to a server if there is no webserver (nginx) running on it, clients can't use SNI if it's not implemented on the server. Nginx has has SNI support for a long time.
However the point is that there are still some "common" clients that don't support SNI such as android 2.x, and unlike browser-compatibility issues where using an old browser might deteriorate the interface, relying on SNI when it's not possible simply cuts the user off with no means to access the website.
from server-configs-nginx.
@AD7six Ahh. Ok. Thx for that. And my apologies in advanced ~12% of Android users.
from server-configs-nginx.
@AD7six I meant as opposed to a self-signed cert, which would cause a browser error regardless. Still, SNI is definitely awesome, and the way of the future.
from server-configs-nginx.
Related Issues (20)
- Content-type header is missing for VTT files HOT 2
- Dependabot couldn't find a <anything>.yml for this project
- Stream block config suggestion? HOT 3
- Create a h5bp Nginx Dockerfile HOT 1
- Getting "HIT" in the second load only (for everybody) HOT 2
- Intermediate SSL policy docs suggest to use intermediate policy in case HOT 2
- Proxy reverse HOT 2
- `X-frame-options: Deny` or `Content-Security-Policy: frame-ancestors none` with Google Search Images HOT 3
- Compress `text/csv` MIME-typed files HOT 2
- Validate configs with Gixy? HOT 8
- Mime type `audio/x-sid` HOT 3
- How to configure php Where are the parameters for index HOT 1
- how to configure php HOT 5
- because it set multiple 'X-Frame-Options' headers HOT 1
- Optimal NGINX gzip_min_length tuned for performance? HOT 1
- NIST curves (prime256v1, secp384r1, secp521r1): still required to support Microsoft Edge and Safari? HOT 1
- Overriding X-Frame-Options for a single VHost
- CORS but with Origin map for multiple domains HOT 1
- Improve SSL/TLS grade HOT 8
- 1.25.2: nginx: [emerg] "location" directive is not allowed here in /etc/nginx/h5bp/location/security_file_access.conf:20
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from server-configs-nginx.