id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 195 Close connection if SSL not enabled for vhost svario.it/gioele somebody "Instead of using the default SSL certificate, nginx should (by default or when configured) close the SSL connection as soon as it realizes that the requested domain has not been configured to be served over HTTPS. For example, {{{ server { listen 80 default_server; listen 443 ssl; server_name aaa.example.net; ssl_certificate /etc/ssl/certs/aaa.example.net.pem; ssl_certificate_key /etc/ssl/private/aaa.example.net.key; } server { listen 80; server_name bbb.example.net; } }}} If a client starts an HTTPS request for bbb.example.net, it will be greeted with a (correct) error/warning: ""This certificate is untrusted, wrong domain"". This is correct because nginx is serving the aaa.example.net certificate. What nginx should do is to close the connection as soon as it discovers the domain that is being requested (after reading the SNI data, I suppose). This will communicate to the client and the user that there is HTTPS connectivity on bbb.example.net. Also, this solution will not disclose information about the fact that aaa.example.net is served by the same nginx server." enhancement closed minor nginx-module 1.3.x fixed Linux camelia.svario.it 3.2.0-29-virtual #46-Ubuntu SMP Fri Jul 27 17:23:50 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux "nginx version: nginx/1.1.19 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --with-http_gzip_static_module --with-http_ssl_module --with-ipv6 --without-http_browser_module --without-http_geo_module --without-http_limit_req_module --without-http_limit_zone_module --without-http_memcached_module --without-http_referer_module --without-http_scgi_module --without-http_split_clients_module --with-http_stub_status_module --without-http_ssi_module --without-http_userid_module --without-http_uwsgi_module --add-module=/build/buildd/nginx-1.1.19/debian/modules/nginx-echo"