1

Setup: I have an nginx client which is sending a HTTPS request to an nginx origin server.

I have been doing my research on how the directive 'proxy_ssl_name' can be used to overwrite the SNI. According to the nginx official documentation, the default value used by 'proxy_ssl_name' is $proxy_host.

In my case, the value of $proxy_host is the name of upstream server block ('ups_server'). I can see that 'ups_server' is being sent as the SNI from my client server. I am not able to understand how the origin server is sending the right certificate back to my client when it receives an SNI that doesn't match with any of the supported domain names.

Can someone please help me understand this?

Improve this question
2
  • Doesvthe origin server have multiple certificates? Commented Sep 7, 2018 at 3:14
  • Yes. The origin server has multiple certificates Commented Sep 7, 2018 at 23:45

1 Answer 1

Reset to default
1

Origin server sends the default server block certificate if no server block matches the SNI.

Improve this answer
2
  • Thanks. I found that origin server is sending the default server's certificate. My default server block should have returned 404. But the weird part is, after establishing HTTPS connection using the default server's certificate, Nginx is serving content from the server block whose hostname is equal to the host header. Commented Sep 7, 2018 at 23:48
  • These things will happen when you don't have exactly specified of all used hostnames with both http (listen 80;) and https (listen 443;). I also recommend having a default_server block for both http and https, where you either return 404 (http) or 444 (https). By explicitly specifying all of this, you don't need to try to interpret why a certain virtual host is selected. Commented Sep 8, 2018 at 10:19

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.