<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<font face="Helvetica, Arial, sans-serif">I have also noticed some
unusual behaviour with ssl server configs. I found that some items put
in http were better to be put again in the server section. In
particular, I found that if fastcgi_params was "included" in http </font><font
face="Helvetica, Arial, sans-serif">(and worked fine with non-ssl
sections) </font><font face="Helvetica, Arial, sans-serif">then inside
an ssl server it would cross post values from one domain to another. I
fixed it by including the fastcgi_params again inside the ssl server. I
have no idea why that worked or why it wouldn't behave as expected in
the first place but you may try something similar to see if it helps.<br>
Chris :)<br>
</font><br>
Martian Alien wrote:
<blockquote cite="mid:BAY105-W40F3AF1EA5109DD755D6ECC9570@phx.gbl"
type="cite">
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
FONT-SIZE: 10pt;
FONT-FAMILY:Tahoma
}
</style>
<div style="text-align: left;">Note that the base domain
(example.com) redirects fine to WWW (<a class="moz-txt-link-abbreviated" href="http://www.example.com">www.example.com</a>). Then adding a
2nd subdomain, API (api.example.com), returns the WWW certificate
rather than the API one and flags a trust concern in most browsers.
Tried a listen field with both api.example.com:443 and the local
interface 127.0.0.1:443, all fail in the same way. Redirect works fine
except it returns the incorrect SSL certiicate.<br>
<br>
server {<br>
listen api.example.com:443;<br>
server_name api.example.com api;<br>
<br>
ssl on;<br>
ssl_certificate /opt/local/nginx/certs/api.example.com.crt; <br>
ssl_certificate_key /opt/local/nginx/certs/api.example.com.key; <br>
<br>
rewrite ^/(.*) <a class="moz-txt-link-freetext" href="https://www.example.com/$1">https://www.example.com/$1</a> permanent;<br>
}<br>
<br>
server {<br>
listen api.example.com:80;<br>
server_name api.example.com api;<br>
rewrite ^/(.*) <a class="moz-txt-link-freetext" href="http://www.example.com/$1">http://www.example.com/$1</a> permanent;<br>
}<br>
</div>
<br>
Thanks again for looking into this concern,<br>
Martian<br>
<br>
<hr id="stopSpelling">> Date: Tue, 9 Sep 2008 10:22:15 +0400<br>
> From: <a class="moz-txt-link-abbreviated" href="mailto:is@rambler-co.ru">is@rambler-co.ru</a><br>
> To: <a class="moz-txt-link-abbreviated" href="mailto:nginx@sysoev.ru">nginx@sysoev.ru</a><br>
> Subject: Re: cert handling on redirect of https subdomains<br>
> <br>
> On Tue, Sep 09, 2008 at 05:51:04AM +0000, Martian Alien wrote:<br>
> <br>
> > Hi Nginx Group,<br>
> > <br>
> > Just wanted to start off by saying nginx is a rad web server!
Na zdrowie!<br>
> > <br>
> > So we've noticed some issues with setting up https ssl
certificates over multiple subdomains.<br>
> > <br>
> > The base domain (example.com) and the first subdomain
(<a class="moz-txt-link-abbreviated" href="http://www.example.com">www.example.com</a>) work beautifully:<br>
> > <br>
> > server {<br>
> > listen <a class="moz-txt-link-abbreviated" href="http://www.example.com:443">www.example.com:443</a> default;<br>
> > server_name <a class="moz-txt-link-abbreviated" href="http://www.example.com">www.example.com</a>;<br>
> > <br>
> > ssl on;<br>
> > ssl_certificate /opt/local/nginx/certs/www.example.com.crt; <br>
> > ssl_certificate_key
/opt/local/nginx/certs/www.example.com.key; <br>
> > <br>
> > location / {<br>
> > # ...<br>
> > }<br>
> > }<br>
> > <br>
> > server {<br>
> > <br>
> > listen <a class="moz-txt-link-abbreviated" href="http://www.example.com:80">www.example.com:80</a> default;<br>
> > <br>
> > server_name <a class="moz-txt-link-abbreviated" href="http://www.example.com">www.example.com</a>;<br>
> > location / {<br>
> > <br>
> > # ...<br>
> > <br>
> > }<br>
> > <br>
> > }<br>
> > <br>
> > <br>
> > server {<br>
> > listen example.com:443;<br>
> > server_name example.com;<br>
> > <br>
> > ssl on;<br>
> > ssl_certificate /opt/local/nginx/certs/example.com.crt; <br>
> > ssl_certificate_key /opt/local/nginx/certs/example.com.key; <br>
> > <br>
> > rewrite ^/(.*) <a class="moz-txt-link-freetext" href="https://www.example.com/$1">https://www.example.com/$1</a> permanent;<br>
> > }<br>
> > <br>
> > server {<br>
> > server_name example.com;<br>
> > rewrite ^/(.*) <a class="moz-txt-link-freetext" href="http://www.example.com/$1">http://www.example.com/$1</a> permanent;<br>
> > }<br>
> > <br>
> > NOW, If the following is added, the correct SSL cert for
api.example.com is not loaded before the redirect, the <a class="moz-txt-link-abbreviated" href="http://www.example.com">www.example.com</a>
cert is loaded instead:<br>
> > <br>
> > server {<br>
> > listen 127.0.0.1:443;<br>
> > server_name api.example.com api;<br>
> > <br>
> > ssl on;<br>
> > ssl_certificate /opt/local/nginx/certs/api.example.com.crt; <br>
> > ssl_certificate_key
/opt/local/nginx/certs/api.example.com.key; <br>
> > <br>
> > rewrite ^/(.*) <a class="moz-txt-link-freetext" href="https://www.example.com/$1">https://www.example.com/$1</a> permanent;<br>
> > }<br>
> > <br>
> > server {<br>
> > listen 127.0.0.1:80;<br>
> > server_name api.example.com api;<br>
> > rewrite ^/(.*) <a class="moz-txt-link-freetext" href="http://www.example.com/$1">http://www.example.com/$1</a> permanent;<br>
> > }<br>
> > <br>
> > <br>
> > Any ideas on how, to setup multiple SSL / HTTPS subdomains,
each with their own cert in nginx?<br>
> > <br>
> > I've tried many conf variants. At this point, I'm suspecting
it is a bug in nginx, but how would that be possible. =)<br>
> <br>
> 127.0.0.1 is loopback interface, do you connect to it from outside
?<br>
> <br>
> <br>
> -- <br>
> Igor Sysoev<br>
> <a class="moz-txt-link-freetext" href="http://sysoev.ru/en/">http://sysoev.ru/en/</a><br>
> <br>
<br>
<hr>See how Windows Mobile brings your life together—at home, work,
or on the go. <a moz-do-not-send="true"
href="http://clk.atdmt.com/MRT/go/msnnkwxp1020093182mrt/direct/01/"
target="_new">See Now</a></blockquote>
</body>
</html>