I'm trying to set up nginx as a front-end to IIS 7 so that I can set up multiple SSL certificates with single IP, something IIS does not support (shocker).
The way I see it, I neither need or should be interfering with the HTTP layer at all, or any of the unencrypted data for that matter (because of Exchange's NTLM Authentication that is bound to the TCP session instead of individual requests). I should set up nginx to handle only the SSL layer.
Luckily, it supports doing that! But not with multiple certificates, apparently?
Basically this is what I'm trying:
stream {
upstream http_backend {
server 192.168.1.1:80;
}
upstream https_backend {
server 192.168.1.1:443;
}
server {
listen 80;
proxy_pass http_backend;
}
server {
listen 443 ssl;
ssl_certificate certs/default.pem;
ssl_certificate_key certs/default.key;
ssl_certificate certs/domain1.pem;
ssl_certificate_key certs/domain1.key;
ssl_certificate certs/domain2.pem;
ssl_certificate_key certs/domain2.key;
proxy_pass https_backend;
proxy_ssl on;
}
}
According to the documentation, ssl_certificate
and ssl_certificate_key
can be called multiple times, but for the purpose of specifying certificates of different types, not for different domains. In this case, the last pair simply overrides the previous ones, and becomes the only certificate you negotiate with when trying to access the server, regardless of the host name used.
In stream
mode I cannot set up multiple server
entries in the same port just changing server_name
like I can in http
mode, in fact server
does not support server_name
at all when used in the stream
context, so it's unclear how I'm supposed to solve this.
I've been Googling all day and can't figure out a solution. Perhaps nginx just doesn't support what I need? And in which case, is there an alternative?
Any advice appreciated!
Best Answer
So I had an epiphany and managed to crack this problem.
Turns out you don't need to set up SSL mode or any certificate in the stream
server
entry to getssl_preread
to work, and this possibilitates an interesting workaround.I can set up multiple
server
entries on arbitrary ports listed forlocalhost
only, each one with a different certificate, and have a mainserver
on port 443 routing the incoming connections to the correct one.Here's a basic configuration with 3 certificates:
So as far as SSL and NTLM Authentication goes this is working wonders, the only thing I'm lacking with this set up is the possibility to register the real user IP on IIS logs, since I can't set
X-Forwarded-For
in HTTP headers.