alexonciu
By:
alexonciu

HTTP and HTTPS sites on a SNI enabled server (Nginx + Apache)

February 18, 2016 2.4k views
Nginx Apache Security Server Optimization LEMP LAMP Stack Networking Ubuntu

The environment for web page serving is like this:
Nginx as a reverse proxy in front of Apache (serverpilot based config).
The server is SNI enabled (you can run multiple SSL enabled sites on a single IP).

The scenario:
There are 2 sites served - one with https enabled and properly configured and another one without any need for https.

Site 1 - let's call it https://ir.cr
Site 2 - let's call it http://xn.rs

The problem:
Normally I would want to disable https for the second domain name (xn.rs) or at least force it to redirect 301 to http://xn.rs in case it is accessed from https://xn.rs
This is because it does not have a valid certificate and I don't intent to purchase one.

This is however impossible according to what I know so far.
Any https request for xn.rs goes to the IP address of the server (the A record DNS). Once it connects to the server it then processes the host part. Once it reaches the host part you get an error of course because the host does not match the certificate.

Since the request is only "parsed" for the host part after the actual SSL is established I can't seem to find a way to prevent this from happening.

Editing the vhost in Nginx is pointless (again, it's based on host declaration).
Using .htaccess does not work for the same reason - in order to parse .htaccess you need a connection - and the connection is for the IP.

Any ideas please?

[EDIT] I think I might have found a way with nginx default_server
This nginx is tricky if you're not experienced with it :)

2 comments
  • Hi, I run SSL on several subdomains in NGINX with no issues (letsencrypt.com). I would think it also works for regular domains in the same way, as subdomains are treated as own domains?

    Letsencrypt is free, I used this guide:
    https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04

    I did however change my setup ever so slightly to achieve A+ rating. I used the mozilla nginx config: https://wiki.mozilla.org/Security/Server_Side_TLS

    I targeted my NGINX 1.9.10 and other factors. I did not enable stapling yet.
    When adding subdomains I have to both edit the nginx config and add more domains/subdomains in listen, also I have to create new certs. But with the renew script in that link you get free ssl...

    For A+ you need to sign a cert with 4096 strength for key exchange, also target newer devices.

    In this tutorial, we will show you how to use Let's Encrypt to obtain a free SSL certificate and use it with Nginx on Ubuntu 14.04. We will also show you how to automatically renew your SSL certificate. If you're running a different web server, simply follow your web server's documentation to learn how to use the certificate with your setup.
  • PS! for www.domain.tld I use same server block, but I have different serverblock for different subdomain that shows different content. The same I would do for new domains, add a new server block. Then one redirect block for each server block too.

1 Answer

This question was answered by @olavamjelde:

Hi, I run SSL on several subdomains in NGINX with no issues (letsencrypt.com). I would think it also works for regular domains in the same way, as subdomains are treated as own domains?

Letsencrypt is free, I used this guide:
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04

I did however change my setup ever so slightly to achieve A+ rating. I used the mozilla nginx config: https://wiki.mozilla.org/Security/Server_Side_TLS

I targeted my NGINX 1.9.10 and other factors. I did not enable stapling yet.
When adding subdomains I have to both edit the nginx config and add more domains/subdomains in listen, also I have to create new certs. But with the renew script in that link you get free ssl...

For A+ you need to sign a cert with 4096 strength for key exchange, also target newer devices.

View the original comment

In this tutorial, we will show you how to use Let's Encrypt to obtain a free SSL certificate and use it with Nginx on Ubuntu 14.04. We will also show you how to automatically renew your SSL certificate. If you're running a different web server, simply follow your web server's documentation to learn how to use the certificate with your setup.
Have another answer? Share your knowledge.