Hello! On Sun, Feb 14, 2016 at 01:46:48PM -0800, Robert Paprocki wrote:
> > On Feb 14, 2016, at 12:58, Maxim Dounin <[email protected]> wrote: > > > > Hello! > > > >> On Sun, Feb 14, 2016 at 08:14:20PM +0100, Lucas Rolff wrote: > >> > >> I'm having a rather odd behavior - I use nginx as a reverse proxy > >> (basically > >> as a CDN) - where if the file isn't in cache, I do use proxy_pass to the > >> origin server, to get the file and then cache it. > >> > >> This works perfectly in most cases, but if the origin is running apache and > >> happen to use the Apache Directive "SSLStrictSNIVHostCheck" where it's set > >> to On. > > > > http://nginx.org/r/proxy_ssl_server_name > > Out of curiosity, is there a philosophical/design reason this > option is not enabled by default? There was no support for client-side SNI till nginx 1.7.0, and when introduced it was set off by default to avoid breaking existing configurations. Additionally, client-side SNI discloses information about domain name used to connect to (which is bad from security point of view), and hardly make sense without peer certificate verification (http://nginx.org/r/proxy_ssl_verify), which is also off by default and can't be enabled without a list of trusted certificates. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
