nginx and SNI: is it possible to automatically resolve SSL certificate by domain name

nginx https ssl sni

Solution 1:

I guess there is no other solution than creating a separate config for each vhost. Using templates that should be quite simple.

However, SNI is not yet supported by some browsers (all recent browsers do). These browsers might show an invalid certificate message.

If you want to reject connections for some vhosts without certificate you should simply not enable ssl on these vhosts. Add a default server that catches all connections for unknown vhosts on the ssl port and return an error (403 forbiden or non standard 444 for tcp reset):

server {
    listen 433 default_server ssl;
    ssl_certificate       common.crt;
    ssl_certificate_key   common.key;
    return 403;
}

You can not prevent the invalid certificate message on vhosts without ssl, as it is not possible to cancel the tcp connection before the ssl handshake using nginx. You might try iptables to reject non sni ssl handshakes but that might be a bit tricky to configure correctly and will probably require some knowledge of ssl specifications.

Related

PostgreSQL not listening on local eth1 after reboot
Windows 7 network drive to Linux filesystem via PuTTY [closed]
Some questions regarding Hostname
broken apache .htaccess (mod_rewrite)
memory leak? RHEL 5.5. RSS show ok, almost no free memory left, swap used heavily
How to shrink a VMware virtual disk (vmdk)
Can't route back down ipsec tunnel from VPS
Very slow harddisk performance
Bandwidth throttling software
How do I set up SMTP on Windows Server 2003 to forward all emails to a given address?
What is the difference between Group Policy and Registry Policy processing in Windows?
Downloading php files from python simple http server