Opened 8 years ago
Closed 8 years ago
#1192 closed defect (fixed)
ssl configuration inherited from the wrong server block
Reported by: | Alexey Ivanov | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | other | Version: | 1.11.x |
Keywords: | Cc: | ||
uname -a: | Linux 3.16.XXXX x86_64 | ||
nginx -V: |
% ./objs/nginx -V
nginx version: nginx/1.11.10 built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) built with OpenSSL 1.0.1 14 Mar 2012 TLS SNI support enabled configure arguments: --with-http_ssl_module --with-debug --with-http_v2_module |
Description
I have the following configuration:
daemon off; master_process off; error_log stderr debug; events { worker_connections 1024; } http { # catch-all HTTPS server server { listen 127.0.0.1:9443 ssl http2; server_name _; ssl_certificate server.crt; ssl_certificate_key server.key; location / { return 444; } } # HTTPS server server { listen 127.0.0.1:9443 ssl http2; server_name example.com; # THIS DOES NOT WORK ssl_buffer_size 4k; ssl_certificate server.crt; ssl_certificate_key server.key; location / { root html; } } }
... its aim is to drop all traffic with domain name != example.com
Though if you curl
a big file there, e.g.:
curl -s -o /dev/null -k -v --resolve example.com:9443:127.0.0.1 'https://example.com:9443/somebigfile'
you can see that nginx is not applying ssl_buffer_size
from the server
block with a proper server_name
, but instead is using 16k (| fgrep 'SSL_write:'
), which I assume is inherited from block with server_name _
.
PS. It most likely behaves like that for all ssl_
directives, including ssl_certificate
and ssl_certificate_key
, not only for the ssl_buffer_size
.
PPS. curl is using SNI, so nginx should have enough data to pick proper server block during the ssl negotiation step.
Change History (4)
comment:1 by , 8 years ago
comment:4 by , 8 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Please try the following patch: