Re: Fallback default server sharing cert information about other domains than for the URL you visit ?

Fri, 09 Aug 2019 11:49:41 -0700 

Thanks for the help.
I'm really feeling pretty stupid atm since I can't seem to find & understand a 
how-to document to get this right :-/

So I have this config

        server {
            listen 80                  http2 default_server;
            listen [::]:80             http2 ipv6only=on default_server;
            server_name _;
            return 301 https://$host;
        }

        server {
                listen 172.17.0.1:443      ssl http2 default_server;
                listen [FE80:...:0001]:443 ssl http2 ipv6only=on default_server;
                server_name _;
                ssl_trusted_certificate    "/etc/ssl/trusted.crt.pem";
                ssl_certificate            "/etc/ssl/dummy.crt.pem";
                ssl_certificate_key        "/etc/ssl/dummy.key.pem";
            return 444;
        }

        server {
                listen 443                 ssl http2 default_server;
                listen [::]:443            ssl http2 ipv6only=on default_server;
                server_name _;
                ssl_trusted_certificate    "/etc/ssl/trusted.crt.pem";
                ssl_certificate            "/etc/ssl/dummy.crt.pem";
                ssl_certificate_key        "/etc/ssl/dummy.key.pem";
                return 444;
        }

        server {
                listen 172.17.0.1:80       http2;
                listen [FE80:...:0001]:80  http2;
                server_name example.com www.example.com;
                location / {
                        return 301 https://example.com$request_uri;
                }
        }

        server {
                listen 172.17.0.1:443      ssl http2;
                listen [FE80:...:0001]:443 ssl http2 ipv6only=on default_server;
                server_name example.com www.example.com;
                ssl_trusted_certificate    "/etc/ssl/trusted.crt.pem";
                ssl_certificate            "/etc/ssl/chain.crt.pem";
                ssl_certificate_key        "/etc/ssl/privkey.pem";
                add_header Strict-Transport-Security "max-age=315360000; 
includeSubDomains; preload";
                location / {...}
        }

With that config when I try to launch nginx it fails with these errors

        Aug 09 11:29:21 myhost nginx[10095]: nginx: [emerg] bind() to [::]:443 
failed (98: Address already in use)

If I comment out the IP-less listener

        #       server {
        #               listen 443                 ssl http2 default_server;
        #               listen [::]:443            ssl http2 ipv6only=on 
default_server;
        #               server_name _;
        #               ssl_trusted_certificate    "/etc/ssl/trusted.crt.pem";
        #               ssl_certificate            "/etc/ssl/dummy.crt.pem";
        #               ssl_certificate_key        "/etc/ssl/dummy.key.pem";
        #               return 444;
        #       }

and try again, I do get a site fail with that "Websites prove their identity 
via certificates. Firefox does not trust this site because it uses a 
certificate that is not valid for ..." error again.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply via email to