id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 1192 ssl configuration inherited from the wrong server block Alexey Ivanov "I have the following configuration: {{{ daemon off; master_process off; error_log stderr debug; events { worker_connections 1024; } http { # catch-all HTTPS server server { listen 127.0.0.1:9443 ssl http2; server_name _; ssl_certificate server.crt; ssl_certificate_key server.key; location / { return 444; } } # HTTPS server server { listen 127.0.0.1:9443 ssl http2; server_name example.com; # THIS DOES NOT WORK ssl_buffer_size 4k; ssl_certificate server.crt; ssl_certificate_key server.key; location / { root html; } } } }}} ... its aim is to drop all traffic with domain name != example.com Though if you `curl` a big file there, e.g.: {{{ curl -s -o /dev/null -k -v --resolve example.com:9443:127.0.0.1 'https://example.com:9443/somebigfile' }}} you can see that nginx is not applying `ssl_buffer_size` from the `server` block with a proper `server_name`, but instead is using 16k (`| fgrep 'SSL_write:'`), which I assume is inherited from block with `server_name _`. PS. It most likely behaves like that for all `ssl_` directives, including `ssl_certificate` and `ssl_certificate_key`, not only for the `ssl_buffer_size`. PPS. curl is using SNI, so nginx should have enough data to pick proper server block during the ssl negotiation step." defect closed minor other 1.11.x fixed Linux 3.16.XXXX x86_64 "% ./objs/nginx -V nginx version: nginx/1.11.10 built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) built with OpenSSL 1.0.1 14 Mar 2012 TLS SNI support enabled configure arguments: --with-http_ssl_module --with-debug --with-http_v2_module"