So I've got a server with a single IP and a lot of websites, all hosted under nginx. Here's a very simplified reduction of my actual setup:
server {
listen 80;
listen 443 ssl;
server_name ssl.example.com;
#...
}
server {
listen 80;
server_name nossl.example.com;
#...
}
If I connect to ssl.example.com:443 everything works, as expected.
If I connect to nossl.example.com:443, it tries to serve the content of ssl.example.com:443.
I've made my peace with the why that happens (it's just how ssl+nginx best-matches a virtual server), I just need to stop it sending content from the wrong site.
Short of buying certificates for all my sites (or issuing my own), or pushing the SSL site off onto its own IP, what are my options here? Can nginx double-check the domain for every SSL request and make sure it matches that server_name?
Add the following virtual server:
If no host is matching, Nginx will use this one as last resort and send back an error.
It needs a SSL certificate to work but you can generate a self-signed one of these very quickly and that will do. This is better than sharing an otherwise valid, existing certificate for another domain (which throws up errors anyway) because there's less leakage.
I tend to think that #2 is the most proper answer, but I have found that the following works as well when placed above the server block of the non-ssl virtual servers.
Don't use the "ssl" flag.