On Fri, Feb 28, 2020 at 9:08 PM Reinis Rozitis <[email protected]> wrote: > > I did follow your steps. My nginx.conf file is > https://paste.centos.org/view/ae22889e when I run the curl call, I am > still receiving HTTP 200 OK response instead of HTTP 444 (No Response) as > per the below output > > If you've just called config reload then most likely your nginx is still > using an old configuration (you should always check with: nginx -t). > > > I tried to make a simple test case and turns out you can't have just > 'listen 443;' directive (even there is no 'ssl' option) in one server block > if another has ' listen 443 ssl;' nginx requires to specify a > "ssl_certificate" (which is kind of understandable if you know that nginx > has several caveats regarding listen ip:port pairs). > > The error looks like: > > nginx -t > nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" > directive in nginx.conf:39 > nginx: configuration file nginx.conf test failed > > So before writing solutions out of head one should always note that and/or > test your own suggestions :) > > > > The correct configuration example should look like this (for > somedummy.crt/key certificate you can either use some self signed or just > any other valid certificate (since nginx checks the validity of ssl > certificates at startup/config reload you can't place nonexisting/nonvalid > certs here)): > > > > server { > listen 443; > ssl_certificate somedummy.crt; > ssl_certificate_key somedummy.key; > server_name _; > return 444; > } > > server { > listen 443 ssl; > ssl_certificate validdomain.crt; > ssl_certificate_key validdomain.key; > server_name validdomain; > return 200 'Works'; > } > > > Then the curl requests with Host injects should work as expected: > > curl --verbose https://validdomain > > > GET / HTTP/1.1 > > Host: validdomain > > > < HTTP/1.1 200 OK > * Connection #0 to host validdomain left intact > Works > > > curl --verbose --header 'Host: invalidhost' https://validdomain > > > GET / HTTP/1.1 > > Host: invalidhost > > > * Empty reply from server > * Connection #0 to host validdomain left intact > curl: (52) Empty reply from server > > > > > p.s. for further testing you should note also that curl doesn't use the > Host header for SNI (https://github.com/curl/curl/issues/607 ) rather > than the one in the url > > So something like: > > curl --verbose --header 'Host: validhostname' https://127.0.0.1 > will fail with: > curl: (51) SSL: no alternative certificate subject name matches target > host name '127.0.0.1' > > > will fail but on the other hand (if your somedummy.crt has an actual > domain): > > curl --verbose --header 'Host: validdomain' https://somedummy > > * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 > > GET / HTTP/1.1 > > Host: validdomain > > < HTTP/1.1 200 OK > < Server: nginx/1.17.8 > * Connection #0 to host somedummy left intact > Works > > the dummy ssl certificate will be used but nginx will serve the validdoman > virtualhost . > > rr > > > _______________________________________________ > nginx mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx
Thanks Reinis for a detailed explanation. It worked as expected. Thanks a lot for all the help and much appreciated.
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
