How to tell nginx to serve https only for one vhost-managed domain?

nginx ssl

I have an ec2 instance running ubuntu and nginx 0.8.4, with vhosts serving several different domains using http but one using SSL/https.

Secure domain configuration:

server {
    listen 443 ssl;
    server_name "securedomain.tld";

    ssl_certificate     /etc/nginx/certs/securedomain.tld.crt;
    ssl_certificate_key /etc/nginx/certs/securedomain.tld.key;

    if ($host != $server_name) {
        return 444; # this won't work because HTTPS communication has 
                    # been already started, warning message is displayed
    }

    // ...
}

Unsecure domain configuration:

server {
    listen 80; 
    server_name "unsecuredomain.tld";

    // ...
}

Right now the domain served using https is catching up all the https trafic, for all managed domains… that means that https://unsecuredomain.tld/ will display a warning and actually serve the contents from securedomain.tld :(

Question is, is there a way to prevent nginx from serving all unsecure domains served using https? eg by specifying that you only want to accept https connections for a given requested host…

Hint: an ec2 instance cannot have more than one IP affected.


In short: nope. As far as nginx is concerned, you've told it that all connections to port 443 are SSL connections for that vhost, and it's just doing what you told it. By the time it can see the Host: header in the request, the SSL negotiation has been done (absent SNI, which is really only going to help if you've got certs for all your domains and are being hit by an SNI-aware browser).


The SSL mismatch warning is unpreventable without a second IP address or some sort of proxy setup, as womble notes.

If you want to prevent unsecuredomain.tld content from being served over SSL, you should use something like the following in the securedomain.tld SSL vhost definition instead of what you have:

if ($host != $server_name) {
    rewrite ^(.*)$ http://unsecuredomain.tld permanent;
}

and just bounce them out, instead of throwing up a different HTTP error after they've already received the browser warning and chosen to continue.

Related

Linux fails to interpret ACK, keeps resending SYN+ACK
Primary Domain Controller slow?
Remote Desktop over SSH to Windows 7 box
Can HAProxy select a backend based on a lookup table?
Why is rpc.lockd obscured from netstat/lsof output?
Lighttpd proxy redirect by port
Word for knowing what to do and not doing it
Infer to mean imply? [duplicate]
Why did Old English use C while other Germanic languages used K?
What is the word for making a set of conflicting rules/policies make sense and all agree with one another?
“A is claimed to follow from B” vs “B is offered as support for A”
What type of phrase is the highlighted part in the following sentence? [duplicate]