nginx and SNI

Server name indication (SNI) allows you to serve multiple sites with different TLS/SSL certificates using a single IP address. Nginx has supported SNI for quite some time, and actually setting it up is easy: simply add server entries for the corresponding sites. There is one caveat: the server_name entry must come before the server_certificate for SNI to be activated:

server {
    listen          443 ssl;
    server_name     www.example.com;
    ssl_certificate www.example.com.crt;
    ...
}

server {
    listen          443 ssl;
    server_name     www.example.org;
    ssl_certificate www.example.org.crt;
    ...
}

is good, but

server {
    listen          443 ssl;
    ssl_certificate www.example.com.crt;
    server_name     www.example.com;
    ...
}

server {
    listen          443 ssl;
    ssl_certificate www.example.org.crt;
    server_name     www.example.org;
    ...
}

will serve the wrong certificate for www.example.org.

Leave a Reply

Your email address will not be published. Required fields are marked *