| Comments

NGINX SNI

Well, I might as well round out my Server Name Indication (SNI) sort of series by taking a look an nginx. Does your nginx support SNI? You can check by running nginx -V, but unless your nginx was built when dinosaurs roamed the earth, you should see:

1

TLS SNI support enabled

However, if you have a really, really old version of OpenSSL, you might see:

1
2
3

nginx was built with SNI support, however, now it is linked
dynamically to an OpenSSL library which has no tlsext support,
therefore SNI is not available

If you do see that, just run halt -p and walk away. They aren’t paying you enough to deal with that old server.

Presuming you do have SNI support, the rest is simple. Just as with Apache, all you need to do is tell each virtual host to use it’s own certificate:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

server {
        listen   443;
        server_name example.com;
        ssl on;
        ssl_certificate /etc/nginx/ssl/example.com/server.crt;
        ssl_certificate_key /etc/nginx/ssl/example.com/server.key;
}

server {
        listen   443;
        server_name example.net;
        ssl on;
        ssl_certificate /etc/nginx/ssl/example.net/server.crt;
        ssl_certificate_key /etc/nginx/ssl/example.net/server.key;
}

Boom! Done!

Comments