nginx and SNI

Server name indication (SNI) allows you serve multiple sites with different TLS/SSL certificates using a single IP address. Nginx has support for SNI for quite some time and actually setting it up is easy, simply add server entries for the corresponding sites. There is one caveat, the server_name entry must come before the server_certificate in order for SNI to be activated:

server {
    listen          443 ssl;
    server_name     www.example.com;
    ssl_certificate www.example.com.crt;
    ...
}

server {
    listen          443 ssl;
    server_name     www.example.org;
    ssl_certificate www.example.org.crt;
    ...
}

is good, but

server {
    listen          443 ssl;
    ssl_certificate www.example.com.crt;
    server_name     www.example.com;
    ...
}

server {
    listen          443 ssl;
    ssl_certificate www.example.org.crt;
    server_name     www.example.org;
    ...
}

will serve the wrong certificate for www.example.org.

Leave a Reply

Your email address will not be published. Required fields are marked *