Dear all,
after years of having a working nginx server which did not have any troubles making use of SNI, I am suddenly facing a certificate issue.
To rule out misconfig, nginx -V tells me...
--
nginx version: nginx/1.1.19
TLS SNI support enabled
--
Second, all server blocks are correctly connected, nginx -t does not complain, and OpenSSL is working. But the following config yields a serving of the wrong certificate (sub.domainy.com) when calling b.domain-x.de :
===BLOCK 1, file in …/sites-available/sub.domainy.com ===
--
upstream sub_domainy {
server 127.0.0.1:1234 fail_timeout=0;
}
server {
listen [::]:80;
server_name sub.domainy.com;
rewrite ^ https://$server_name$request_uri? ;
access_log /var/log/nginx/sub.domainy.com.access.log;
error_log /var/log/nginx/sub.domainy.com.error.log;
}
server {
listen [::]:443 ssl default_server;
server_name sub.domainy.com;
server_tokens off;
ssl_certificate /etc/nginx/ssl/wildcard.domainy.com.crt;
ssl_certificate_key /etc/nginx/ssl/wildcard.domainy.com.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-AES128-GCM-SHA256:HIGH:!aNULL:!eNull:!MD5:!RC4:!EXPORT:!DES:!PSK;
access_log /var/log/nginx/sub.domainy.com.access.log;
error_log /var/log/nginx/sub.domainy.com.error.log;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_pass http://sub_domainy;
}
}
--
===BLOCK 2, file in …/sites-available/b.domain-x.de ===
--
upstream b_domain_x {
server 127.0.0.1:2468 fail_timeout=0;
}
server {
listen [::]:80;
server_name b.domain-x.de;
#add_header Strict-Transport-Security max-age=31536000;
#add_header X-Frame-Options DENY;
access_log /var/log/nginx/b.domain-x.de.access.log;
error_log /var/log/nginx/b.domain-x.de.error.log;
rewrite ^/(.*) https://b.domain-x.de ;
}
server {
listen [::]:443 ssl;
server_name b.domain-x.de;
ssl_certificate /etc/nginx/ssl/wildcard.domain-x.de.crt;
ssl_certificate_key /etc/nginx/ssl/wildcard.domain-x.de.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+ECDSA+AESCGM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:-3DES:DES-CBC3-SHA:!MD5:!PSK:!SRP:!DSS:!SEED:!EXPORT:!CAMELLIA:!DES;
server_tokens off;
add_header Strict-Transport-Security max-age=31536000;
add_header X-Frame-Options DENY;
access_log /var/log/nginx/b.domain-x.de.access.log;
error_log /var/log/nginx/b.domain-x.de.error.log;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_pass http://b_domain_x;
}
}
--
Does anybody see a mistake? I would really appreciate your help, I find it kind of puzzling. Thanks a lot, have a nice day...
after years of having a working nginx server which did not have any troubles making use of SNI, I am suddenly facing a certificate issue.
To rule out misconfig, nginx -V tells me...
--
nginx version: nginx/1.1.19
TLS SNI support enabled
--
Second, all server blocks are correctly connected, nginx -t does not complain, and OpenSSL is working. But the following config yields a serving of the wrong certificate (sub.domainy.com) when calling b.domain-x.de :
===BLOCK 1, file in …/sites-available/sub.domainy.com ===
--
upstream sub_domainy {
server 127.0.0.1:1234 fail_timeout=0;
}
server {
listen [::]:80;
server_name sub.domainy.com;
rewrite ^ https://$server_name$request_uri? ;
access_log /var/log/nginx/sub.domainy.com.access.log;
error_log /var/log/nginx/sub.domainy.com.error.log;
}
server {
listen [::]:443 ssl default_server;
server_name sub.domainy.com;
server_tokens off;
ssl_certificate /etc/nginx/ssl/wildcard.domainy.com.crt;
ssl_certificate_key /etc/nginx/ssl/wildcard.domainy.com.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-AES128-GCM-SHA256:HIGH:!aNULL:!eNull:!MD5:!RC4:!EXPORT:!DES:!PSK;
access_log /var/log/nginx/sub.domainy.com.access.log;
error_log /var/log/nginx/sub.domainy.com.error.log;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_pass http://sub_domainy;
}
}
--
===BLOCK 2, file in …/sites-available/b.domain-x.de ===
--
upstream b_domain_x {
server 127.0.0.1:2468 fail_timeout=0;
}
server {
listen [::]:80;
server_name b.domain-x.de;
#add_header Strict-Transport-Security max-age=31536000;
#add_header X-Frame-Options DENY;
access_log /var/log/nginx/b.domain-x.de.access.log;
error_log /var/log/nginx/b.domain-x.de.error.log;
rewrite ^/(.*) https://b.domain-x.de ;
}
server {
listen [::]:443 ssl;
server_name b.domain-x.de;
ssl_certificate /etc/nginx/ssl/wildcard.domain-x.de.crt;
ssl_certificate_key /etc/nginx/ssl/wildcard.domain-x.de.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+ECDSA+AESCGM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:-3DES:DES-CBC3-SHA:!MD5:!PSK:!SRP:!DSS:!SEED:!EXPORT:!CAMELLIA:!DES;
server_tokens off;
add_header Strict-Transport-Security max-age=31536000;
add_header X-Frame-Options DENY;
access_log /var/log/nginx/b.domain-x.de.access.log;
error_log /var/log/nginx/b.domain-x.de.error.log;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_pass http://b_domain_x;
}
}
--
Does anybody see a mistake? I would really appreciate your help, I find it kind of puzzling. Thanks a lot, have a nice day...