Home / server / Questions / 199638
Accepted
Jason Christa
Asked: 2010-11-09 15:51:09 +0800 CST

Does Nginx need a unique ip address for every site served over HTTPS like Apache?

  • 772

With Apache's the most common HTTPS setup you need 1 IP Address per site. Does Nginx have this same limitation or can a single IP Address serve an unlimited number of HTTPS sites?

apache-2.2 nginx https

4 Answers

  1. Best Answer

    Nginx can be recompiled with SNI to allow this but it also requires your version of OpenSSL to support it (0.8.9 I believe). See here for more information.

    It's also worth noting that Apache now supports SNI, it has been backported to 2.2.*.

    The issue you are likely to face is browser compatibility. The guide above (nginx) states the following compatibility but I haven't checked this myself:

    * Opera 8.0;
    * MSIE 7.0 (but only on Windows Vista or higher);
    * Firefox 2.0 and other browsers using Mozilla Platform rv:1.8.1;
    * Safari 3.2.1 (Windows version supports SNI on Vista or higher);
    * and Chrome (Windows version supports SNI on Vista or higher, too).

    • 5

  2. The limitation is at the SSL level, not the server level. All web servers have this.

    • 4

  3. It's a limitation of the original SSL protocol. The encryption begins immediately before the client even sends a hostname to the server. If you have virtualhosts all sharing the same connection, the server has to guess which certificate to show, and if it picks the wrong one the client throws up the invalid certificate warning.

    That said, there's been ways around it for a while now. The worst way is to use different ports for each virtualhost so you have sites like https://www.example.com:449/. If all your virtualhosts are of the form "something".example.com, you can use a wildcard *.example.com certificate. Browsers have supported Subject Alternative Names in the certificate for years, but if you do this you have to get a new certificate whenever you want to change the list of Alternative Names.

    The newest kid on the block is "SNI" or Server Name Indication which lets a client that supports it tell the server which hostname it wants, before the server has to provide the certificate. Note that IE does not support this on Windows XP. On the server side, Nginx supports it when everything is compiled right. (Note: this page also talks about the other options above)

    • 1

  4. Yes it does.. SSL is on the IP/port level. The server has nothing to do with it. You can use the same IP but a different port then the default 443 but then your domain will look like

    https://domain.com:543/path/to/something/

    • -1