using nginx with SNI

nginx ssl sni

Solution 1:

If your version of nginx shows TLS SNI support when you do nginx -V then you're ready to go.

If you want to run your server without regard to the IP address, then don't use an IP address in the SSL web server's listen directives to use SNI for that virtual host.

For instance, change:

listen 198.51.100.206:443 ssl;

to:

listen 443 ssl;

Even if you do use an IP address, SNI will be used anyway, for all servers which are listening on the same IP address.

Solution 2:

Actually, it's not client software you should be worried about. Most people run a decent browser nowadays and mobile devices are basically safe.

When we tried running nginx with SNI, we discovered that some service providers were really falling behind. In one case, a certain online payments provider would just drop HTTP calls towards us because their software was based on a really old (pre-SNI support) Perl library. Users seeing their credit cards getting charged with no result were not amused. The provider's response was surprise - they had no clue they had this problem. Sadly, they sai they needed months to fix this.

I wish this was just one provider, but no. We ended up going back to separate IPs for each domain.

Lesson learned: check all software that is going to talk to your nginx.

Related

Scalable (> 24 TB) NAS for research department
Exim: Change sender address when sending mails out of local network
How can I configure my DHCP server to distribute IP routes?
Force forwarder DNS requests to TCP mode
Why is NTP syncing to LOCAL rather than remote server?
How to serve unknown file types from IIS 7
Prevent Server Restart after Windows Updates
Multiple IP addresses per NIC
What tool can I use to manage the configuration of my Windows Server environments
Disable update popup on Windows 2012 R2
Can I trust that ZFS is consistent between Linux and FreeBSD?
Local or public NTP servers?