Opened 10 years ago

Closed 10 years ago

#628 closed task (invalid)

nginx serving wrong certificate for another domain?

Reported by: Lorenzo Raffio Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.7.x
Keywords: ssl certificate sni Cc:
uname -a:
nginx -V: 1.7.4

Description

I have SNI installed and running fine. I have 6 websites hosted on the same VPS, same IP. 5 of them work just fine, every one is serving its correct ssl certificate.
But there's one that even if I'm setting ssl_certificate to the correct crt file related to that domain, is serving the certificate of another domain! (WTF?)

Here's the whole conf file for this domain:

fastcgi_cache_path			/var/www/blabla.it/cache levels=1:2 keys_zone=blabla.it:100m inactive=60m;

server {

	### MAIN ###

	server_name				.blabla.it;
	index					index.php;
	root					/var/www/blabla.it/htdocs;

	ssl_stapling				on;
	ssl_stapling_verify			on;
	ssl_trusted_certificate			/var/www/blabla.it/ssl/ca-certs.pem;
	ssl_certificate				/var/www/blabla.it/ssl/ssl.crt;
	ssl_certificate_key			/var/www/blabla.it/ssl/ssl.key;
    
	access_log				/var/www/blabla.it/logs/access.log.gz combined gzip;
	error_log				/var/www/blabla.it/logs/error.log;
	
	charset					utf-8;
	
	rewrite					^/sitemap_index\.xml$ /index.php?sitemap=1 last;
	rewrite					^/([^/]+?)-sitemap([0-9]+)?\.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;
 
	location / {
		try_files $uri $uri/ /index.php?$args;
	}

	location ~ \.php$ {
		fastcgi_cache blabla.it;
		fastcgi_cache_valid 200 5m;	
		fastcgi_cache_bypass $no_cache;
		fastcgi_no_cache $no_cache;
	
		try_files $uri =404;
		fastcgi_split_path_info ^(.+\.php)(/.+)$;			
		include fastcgi.conf;
		fastcgi_pass unix:/var/run/php5-fpm.sock;
	}

	
	### CONFIGS ###
	include conf/h5bp.conf;
	include	conf/expires.conf;


	### TRIVIAL ###

	# Deny dot files:
	location ~ /\. {
		deny all;
	}

	# favicon.ico not found
	location = /favicon.ico {
		access_log off;
		log_not_found off;
	}

	# robots.txt not found
	location = /robots.txt { 
		access_log off; 
		log_not_found off; 
	}


	### CACHE ###

	#Cache everything by default
	set $no_cache 0;

	#Don't cache POST requests
	if ($request_method = POST)
	{
	    set $no_cache 1;
	}

	#Don't cache if the URL contains a query string
	if ($query_string != "")
	{
	    set $no_cache 1;
	}

	#Don't cache the following URLs
	if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml)")
	{
	    set $no_cache 1;
	}

	#Don't cache if there is a cookie called PHPSESSID
	if ($http_cookie ~* "PHPSESSID|comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_logged_in")
	{
	    set $no_cache 1;
	}

}

Change History (3)

comment:1 by Lorenzo Raffio, 10 years ago

Don't know if useful but I also add general nginx config.

And one other strange thing is that when for example I got to my wordpress login page over https and enter my login details, I'm redirected to the domain of the wrong certificate. Maybe is Strict Transport Security involved?

user						www-data;
worker_processes				auto;
worker_rlimit_nofile				8192;
error_log					/var/log/nginx/error.log info;
pid						/var/run/nginx.pid;

events {
  worker_connections				8000;
  multi_accept					on;
}

http {
	include					sites-enabled/*;
	index					index.php index.htm index.html;
	server_tokens				off; #don't send the nginx version number in error pages and Server header
	include					conf/mime.types;
	include					conf/geoip.conf;
	default_type				application/octet-stream;
	log_format				compression '$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
	access_log				/var/log/nginx/access.log compression buffer=32k;
	keepalive_timeout			40;
	types_hash_max_size			2048;
	server_names_hash_bucket_size		64;
	sendfile				on;
	tcp_nopush				on;
	tcp_nodelay				off;
	add_header				X-Frame-Options SAMEORIGIN; # config to don't allow the browser to render the page inside an frame or iframe and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking. If you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
	add_header				X-Content-Type-Options nosniff; # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, to disable content-type sniffing on some browsers. https://www.owasp.org/index.php/List_of_useful_HTTP_headers, currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx, http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx, 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
	add_header				X-XSS-Protection "1; mode=block"; # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. It's usually enabled by default anyway, so the role of this header is to re-enable the filter for this particular website if it was disabled by the user. https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	
	set_real_ip_from			127.0.0.1;
	include					conf/cloudflare-ips.conf;
	real_ip_header				CF-Connecting-IP;
	real_ip_header				X-Forwarded-For;
	proxy_redirect				off;
	proxy_set_header			Host  $host;
	proxy_set_header			X-Real-IP $remote_addr;
	proxy_set_header			X-Forwarded-For $proxy_add_x_forwarded_for;
	
	fastcgi_cache_key				"$scheme$request_method$host$request_uri";
	add_header				X-Cache $upstream_cache_status;
	
	client_max_body_size			15M;
	client_header_buffer_size		1k;
	client_body_buffer_size			16k;
	proxy_connect_timeout			90s;
	proxy_send_timeout			90s;
	proxy_read_timeout			90s;
	proxy_buffers				32 4k;
	large_client_header_buffers		4 8k;
	
	ssl_protocols				TLSv1 TLSv1.1 TLSv1.2; # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS
	ssl_ciphers				'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK'; # ciphers chosen for forward secrecy and compatibility
	ssl_prefer_server_ciphers		on; # enables server-side protection from BEAST attacks
	ssl_session_cache			shared:SSL:50m; # enable session resumption to improve https performance
	ssl_session_timeout			2h;
	add_header				Strict-Transport-Security "max-age=31536000; includeSubdomains;"; # enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
	ssl_dhparam				/etc/nginx/conf/dhparam.pem;
	
	gzip					on;
	gzip_static				on;
	gzip_buffers				16 8k;
	gzip_http_version			1.0;
	gzip_comp_level				5;
	gzip_min_length				256;
	gzip_proxied				any;
	gzip_vary				on;
	gzip_disable				"MSIE [1-6]\.(?!.*SV1)";
	gzip_types
									application/atom+xml
									application/javascript
									application/json
									application/rss+xml
									application/vnd.ms-fontobject
									application/x-font-ttf
									application/x-web-app-manifest+json
									application/xhtml+xml
									application/xml
									font/opentype
									image/svg+xml
									image/x-icon
									text/css
									text/plain
									text/x-component;
	#								text/html is always compressed by HttpGzipModule
	
}

comment:2 by Lorenzo Raffio, 10 years ago

Don't consider the Cloudflare related parameters. It's disabled for the domain.

comment:3 by Maxim Dounin, 10 years ago

Resolution: invalid
Status: newclosed

The server{} block in question doesn't have any listen directives in it, and hence will use listen 80 by default. It's not expected to be used for https requests, as https use port 443.

Note: See TracTickets for help on using tickets.