nginx serving wrong certificate for another domain?

[Lorenzo Raffio]

I have SNI installed and running fine. I have 6 websites hosted on the same VPS, same IP. 5 of them work just fine, every one is serving its correct ssl certificate.
But there's one that even if I'm setting ssl_certificate to the correct crt file related to that domain, is serving the certificate of another domain! (WTF?)

Here's the whole conf file for this domain:

fastcgi_cache_path			/var/www/blabla.it/cache levels=1:2 keys_zone=blabla.it:100m inactive=60m;

server {

	### MAIN ###

	server_name				.blabla.it;
	index					index.php;
	root					/var/www/blabla.it/htdocs;

	ssl_stapling				on;
	ssl_stapling_verify			on;
	ssl_trusted_certificate			/var/www/blabla.it/ssl/ca-certs.pem;
	ssl_certificate				/var/www/blabla.it/ssl/ssl.crt;
	ssl_certificate_key			/var/www/blabla.it/ssl/ssl.key;
    
	access_log				/var/www/blabla.it/logs/access.log.gz combined gzip;
	error_log				/var/www/blabla.it/logs/error.log;
	
	charset					utf-8;
	
	rewrite					^/sitemap_index\.xml$ /index.php?sitemap=1 last;
	rewrite					^/([^/]+?)-sitemap([0-9]+)?\.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;
 
	location / {
		try_files $uri $uri/ /index.php?$args;
	}

	location ~ \.php$ {
		fastcgi_cache blabla.it;
		fastcgi_cache_valid 200 5m;	
		fastcgi_cache_bypass $no_cache;
		fastcgi_no_cache $no_cache;
	
		try_files $uri =404;
		fastcgi_split_path_info ^(.+\.php)(/.+)$;			
		include fastcgi.conf;
		fastcgi_pass unix:/var/run/php5-fpm.sock;
	}

	
	### CONFIGS ###
	include conf/h5bp.conf;
	include	conf/expires.conf;


	### TRIVIAL ###

	# Deny dot files:
	location ~ /\. {
		deny all;
	}

	# favicon.ico not found
	location = /favicon.ico {
		access_log off;
		log_not_found off;
	}

	# robots.txt not found
	location = /robots.txt { 
		access_log off; 
		log_not_found off; 
	}


	### CACHE ###

	#Cache everything by default
	set $no_cache 0;

	#Don't cache POST requests
	if ($request_method = POST)
	{
	    set $no_cache 1;
	}

	#Don't cache if the URL contains a query string
	if ($query_string != "")
	{
	    set $no_cache 1;
	}

	#Don't cache the following URLs
	if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml)")
	{
	    set $no_cache 1;
	}

	#Don't cache if there is a cookie called PHPSESSID
	if ($http_cookie ~* "PHPSESSID|comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_logged_in")
	{
	    set $no_cache 1;
	}

}

[Lorenzo Raffio]

Don't know if useful but I also add general nginx config.

And one other strange thing is that when for example I got to my wordpress login page over https and enter my login details, I'm redirected to the domain of the wrong certificate. Maybe is Strict Transport Security involved?

user						www-data;
worker_processes				auto;
worker_rlimit_nofile				8192;
error_log					/var/log/nginx/error.log info;
pid						/var/run/nginx.pid;

events {
  worker_connections				8000;
  multi_accept					on;
}

http {
	include					sites-enabled/*;
	index					index.php index.htm index.html;
	server_tokens				off; #don't send the nginx version number in error pages and Server header
	include					conf/mime.types;
	include					conf/geoip.conf;
	default_type				application/octet-stream;
	log_format				compression '$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
	access_log				/var/log/nginx/access.log compression buffer=32k;
	keepalive_timeout			40;
	types_hash_max_size			2048;
	server_names_hash_bucket_size		64;
	sendfile				on;
	tcp_nopush				on;
	tcp_nodelay				off;
	add_header				X-Frame-Options SAMEORIGIN; # config to don't allow the browser to render the page inside an frame or iframe and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking. If you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
	add_header				X-Content-Type-Options nosniff; # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, to disable content-type sniffing on some browsers. https://www.owasp.org/index.php/List_of_useful_HTTP_headers, currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx, http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx, 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
	add_header				X-XSS-Protection "1; mode=block"; # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. It's usually enabled by default anyway, so the role of this header is to re-enable the filter for this particular website if it was disabled by the user. https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	
	set_real_ip_from			127.0.0.1;
	include					conf/cloudflare-ips.conf;
	real_ip_header				CF-Connecting-IP;
	real_ip_header				X-Forwarded-For;
	proxy_redirect				off;
	proxy_set_header			Host  $host;
	proxy_set_header			X-Real-IP $remote_addr;
	proxy_set_header			X-Forwarded-For $proxy_add_x_forwarded_for;
	
	fastcgi_cache_key				"$scheme$request_method$host$request_uri";
	add_header				X-Cache $upstream_cache_status;
	
	client_max_body_size			15M;
	client_header_buffer_size		1k;
	client_body_buffer_size			16k;
	proxy_connect_timeout			90s;
	proxy_send_timeout			90s;
	proxy_read_timeout			90s;
	proxy_buffers				32 4k;
	large_client_header_buffers		4 8k;
	
	ssl_protocols				TLSv1 TLSv1.1 TLSv1.2; # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS
	ssl_ciphers				'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK'; # ciphers chosen for forward secrecy and compatibility
	ssl_prefer_server_ciphers		on; # enables server-side protection from BEAST attacks
	ssl_session_cache			shared:SSL:50m; # enable session resumption to improve https performance
	ssl_session_timeout			2h;
	add_header				Strict-Transport-Security "max-age=31536000; includeSubdomains;"; # enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
	ssl_dhparam				/etc/nginx/conf/dhparam.pem;
	
	gzip					on;
	gzip_static				on;
	gzip_buffers				16 8k;
	gzip_http_version			1.0;
	gzip_comp_level				5;
	gzip_min_length				256;
	gzip_proxied				any;
	gzip_vary				on;
	gzip_disable				"MSIE [1-6]\.(?!.*SV1)";
	gzip_types
									application/atom+xml
									application/javascript
									application/json
									application/rss+xml
									application/vnd.ms-fontobject
									application/x-font-ttf
									application/x-web-app-manifest+json
									application/xhtml+xml
									application/xml
									font/opentype
									image/svg+xml
									image/x-icon
									text/css
									text/plain
									text/x-component;
	#								text/html is always compressed by HttpGzipModule
	
}

[Lorenzo Raffio]

Don't consider the Cloudflare related parameters. It's disabled for the domain.

[Maxim Dounin]

The server{} block in question doesn't have any listen directives in it, and hence will use listen 80 ​by default. It's not expected to be used for https requests, as https use port 443.