id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
1694	Prefer SNI name to Host header when selecting server block	cHYzZQo@…		"Let's say I have a config file that looks like this.

{{{
server {
    listen 7002 ssl;
    server_name my.magic.sni.name;
    ssl on;

    ssl_client_certificate /path-to-client-ca.pem;
    ssl_verify_client on;

    ssl_certificate /path-to-cert/server.crt;
    ssl_certificate_key /path-to-key/server.key;

    location / {
        proxy_pass http://client-cer-proxy:50001;
    }
}
server {
    listen 7002 ssl;
    server_name my-real.domain.name;
    ssl on;
    ssl_certificate /path-to-another-cert/server.crt;
    ssl_certificate_key /path-to-another-key/server.key;
    location / {
        proxy_pass http://no-client-proxy:50001;
    }

}
}}}

If I make a request to this server with an sni of my.magic.sni.name but a host header of my-real.domain.name. The SSL handshake happens as I would expect, i'm required to provide a client certificate. Assuming that handshake is successful when it comes time to actually serve the request it uses the my-real.domain.name server block instead proxing the request to http://no-client-proxy:50001 instead of http://client-cer-proxy:50001.

Is that expected? It seems to me that once the ssl handshake happens the rest of the request should be processed by the same server block. and if it can't be then it should send a 429 Misdirected Request rather than switching server blocks.

I tested this with 1.10.3 and 1.13.6. A quick look through the code didn't turn up any changes in more recent versions but I'm happy to test again if it will help."	defect	closed	minor		nginx-core		invalid				"nginx version: nginx/1.10.3 (Ubuntu)
built with OpenSSL 1.0.2g  1 Mar 2016
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-threads"