Nginx Question posted in
The official documentation can be found here.

When i CURL the 2nd domain, the cert that's shown is for the first domain – Nginx

This is my nginx setup. And alsoI use Docker and Docker-Compose to run my nginx and webservice

This is what I see when I run nginx -V inside the docker

nginx version: nginx/1.15.5
built by gcc 6.4.0 (Alpine 6.4.0)
built with OpenSSL 1.0.2p 14 Aug 2018
TLS SNI support enabled

## for http version of *
server {
    listen 80;
    listen [::]:80;
    server_name domain_1 domain_2;
    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://$host$request_uri;
}

## for https version of *
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name domain_1;

    location /websocket/ {
        proxy_pass   http://websocket:8001;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $server_name;
    }

    ## this is to proxy pass to the django container
    location / {
      proxy_pass http://django:5000;

      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_redirect off;
    }

    location /websockets/ {
        try_files $uri @proxy_websocket;
    }

    location @proxy_websocket {
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_redirect off;
        proxy_pass   http://websocket:8001;
    }

    ## this is to alias the /static to the /staticfiles folder inside django container
    location /static/ {
        alias /django/staticfiles/;
    }
    ## this is to alias the /media to the /media folder inside django container
    location /media/ {
        alias /django/media/;
    }

    ## this is for the various SSL settings
    include /etc/nginx/conf.d/ssl_common.conf;
    # include /etc/nginx/conf.d/ssl_enp.conf;
    ssl_certificate /etc/internal_trust/live/domain_1/domain_1.crt;
    ssl_certificate_key /etc/internal_trust/live/domain_1/domain_1.key;
}

# for *.sg
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name domain_2;

    location /websocket/ {
        proxy_pass   http://websocket:8001;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $server_name;
    }

    ## this is to proxy pass to the django container
    location / {
      proxy_pass http://django:5000;

      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_redirect off;
    }

    location /websockets/ {
        try_files $uri @proxy_websocket;
    }

    location @proxy_websocket {
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_redirect off;
        proxy_pass   http://websocket:8001;
    }

    ## this is to alias the /static to the /staticfiles folder inside django container
    location /static/ {
        alias /django/staticfiles/;
    }
    ## this is to alias the /media to the /media folder inside django container
    location /media/ {
        alias /django/media/;
    }

    ## this is for the various SSL settings
    ssl_certificate /etc/internal_trust/live/domain_2/domain_2.crt;
    ssl_certificate_key /etc/internal_trust/live/domain_2/domain_2.key;
}

## this is to block attempts by those using invalid host headers
server {
    server_name _;
    listen       80 default_server;
    # we do not need to cater for ssl 443 for invalid host headers
    return       444;
}

but for some reason, the cert that’s being retrieved is always the one for domain_1 even when i visited domain_2.

I am not sure where I went wrong.

domain_1 is working well

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    i managed to solve my bug

    Just change the following block

    from

    server {
    listen 80;
    listen [::]:80;
    server_name domain_1 domain_2;
    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://$host$request_uri;
}

    to

    server {
    listen 80;
    listen [::]:80;
    server_name domain_1 ;
    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://domain_1$request_uri;
}

server {
    listen 80;
    listen [::]:80;
    server_name  domain_2;
    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://domain_2$request_uri;
}

  2. 0

    Curl simply connected to IP addr and check first SSL in config.
    If you have much more virtual hosts, curl get the first domain in alphabet, its normal for request via IP addr.

    Example via IP addr (first config with SSL):

    # curl -v -k 'https://127.0.0.1' -H 'Host: domain1.local'
...
...
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=RO; ST=Buc; L=Buc; O=TEST; OU=TEST; CN=domain1.local
...
...
<
* Connection #0 to host 127.0.0.1 left intact
domain1.local* Closing connection 0

    # curl -v -k 'https://127.0.0.1' -H 'Host: domain2.local'
...
...
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=RO; ST=Buc; L=Buc; O=TEST; OU=TEST; CN=domain1.local
...
...
<
* Connection #0 to host 127.0.0.1 left intact
domain2.local* Closing connection 0

    But if you use domain name, curl get the specific config with SSL (correct SSL):

    # curl -v -k 'https://domain1.local'
...
...
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=RO; ST=Buc; L=Buc; O=TEST; OU=TEST; CN=domain1.local
...
...
<
* Connection #0 to host domain1.local left intact
domain1.local* Closing connection 0

    # curl -v -k 'https://domain2.local'
...
...
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=RO; ST=Buc; L=Buc; O=TEST; OU=TEST; CN=domain2.local
...
...
<
* Connection #0 to host domain2.local left intact
domain2.local* Closing connection 0
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search