Question

HTTP and HTTPS sites on a SNI enabled server (Nginx + Apache)

The environment for web page serving is like this: Nginx as a reverse proxy in front of Apache (serverpilot based config). The server is SNI enabled (you can run multiple SSL enabled sites on a single IP).

The scenario: There are 2 sites served - one with https enabled and properly configured and another one without any need for https.

Site 1 - let’s call it https://ir.cr Site 2 - let’s call it http://xn.rs

The problem: Normally I would want to disable https for the second domain name (xn.rs) or at least force it to redirect 301 to http://xn.rs in case it is accessed from https://xn.rs This is because it does not have a valid certificate and I don’t intent to purchase one.

This is however impossible according to what I know so far. Any https request for xn.rs goes to the IP address of the server (the A record DNS). Once it connects to the server it then processes the host part. Once it reaches the host part you get an error of course because the host does not match the certificate.

Since the request is only “parsed” for the host part after the actual SSL is established I can’t seem to find a way to prevent this from happening.

Editing the vhost in Nginx is pointless (again, it’s based on host declaration). Using .htaccess does not work for the same reason - in order to parse .htaccess you need a connection - and the connection is for the IP.

Any ideas please?

[EDIT] I think I might have found a way with nginx default_server This nginx is tricky if you’re not experienced with it :)

Show comments

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

This question was answered by @olavamjelde:

Hi, I run SSL on several subdomains in NGINX with no issues (letsencrypt.com). I would think it also works for regular domains in the same way, as subdomains are treated as own domains?

Letsencrypt is free, I used this guide: https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04

I did however change my setup ever so slightly to achieve A+ rating. I used the mozilla nginx config: https://wiki.mozilla.org/Security/Server_Side_TLS

I targeted my NGINX 1.9.10 and other factors. I did not enable stapling yet. When adding subdomains I have to both edit the nginx config and add more domains/subdomains in listen, also I have to create new certs. But with the renew script in that link you get free ssl…

For A+ you need to sign a cert with 4096 strength for key exchange, also target newer devices.

View the original comment