nginx and SNI: is it possible to automatically resolve SSL certificate by domain name
Solution 1:
I guess there is no other solution than creating a separate config for each vhost. Using templates that should be quite simple.
However, SNI is not yet supported by some browsers (all recent browsers do). These browsers might show an invalid certificate message.
If you want to reject connections for some vhosts without certificate you should simply not enable ssl on these vhosts. Add a default server that catches all connections for unknown vhosts on the ssl port and return an error (403 forbiden or non standard 444 for tcp reset):
server {
listen 433 default_server ssl;
ssl_certificate common.crt;
ssl_certificate_key common.key;
return 403;
}
You can not prevent the invalid certificate message on vhosts without ssl, as it is not possible to cancel the tcp connection before the ssl handshake using nginx. You might try iptables to reject non sni ssl handshakes but that might be a bit tricky to configure correctly and will probably require some knowledge of ssl specifications.