Using Nginx with SNI – Configuration Guide

nginxsnissl

By now I've not used SNI with nginx yet. But as IP address pools are quite filled and commercial XP support is about to cease (finally) I'm thinking about converting a few sites to SNI.

I'm aware of the general limitations and pitfalls that might come along with SNI (XP issue, very old browsers). But beyond that is there anything I should be aware of?

Like
– nginx related pitfalls when using SNI
– issues/bugs with recent (notable!) browsers

Best Answer

If your version of nginx shows TLS SNI support when you do nginx -V then you're ready to go.

If you want to run your server without regard to the IP address, then don't use an IP address in the SSL web server's listen directives to use SNI for that virtual host.

For instance, change:

listen 198.51.100.206:443 ssl;

to:

listen 443 ssl;

Even if you do use an IP address, SNI will be used anyway, for all servers which are listening on the same IP address.

Correct way in new versions of nginx

Turn out my first answer to this question was correct at certain time, but it turned into another pitfall - to stay up to date please check Taxing rewrite pitfalls

I have been corrected by many SE users, so the credit goes to them, but more importantly, here is the correct code:

server {
       listen         80;
       server_name    my.domain.com;
       return         301 https://$server_name$request_uri;
}

server {
       listen         443 ssl;
       server_name    my.domain.com;
       # add Strict-Transport-Security to prevent man in the middle attacks
       add_header Strict-Transport-Security "max-age=31536000" always; 

       [....]
}

Nginx – How to define which SSL certificate nginx sends first with SNI

The default_server setting of the listen directive should determine which certificate is sent for a request without SNI set in the handshake. Change the listen directive of the desired default:

listen 443 default_server ssl;

Best Answer

Related Solutions

NGINX Redirect – How to Rewrite All HTTP Requests to HTTPS While Maintaining Sub-Domain

Correct way in new versions of nginx

Nginx – How to define which SSL certificate nginx sends first with SNI

Related Topic