This is my nginx setup. And alsoI use Docker and Docker-Compose to run my nginx and webservice
This is what I see when I run nginx -V
inside the docker
nginx version: nginx/1.15.5
built by gcc 6.4.0 (Alpine 6.4.0)
built with OpenSSL 1.0.2p 14 Aug 2018
TLS SNI support enabled
## for http version of *
server {
listen 80;
listen [::]:80;
server_name domain_1 domain_2;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
## for https version of *
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name domain_1;
location /websocket/ {
proxy_pass http://websocket:8001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
## this is to proxy pass to the django container
location / {
proxy_pass http://django:5000;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
}
location /websockets/ {
try_files $uri @proxy_websocket;
}
location @proxy_websocket {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_pass http://websocket:8001;
}
## this is to alias the /static to the /staticfiles folder inside django container
location /static/ {
alias /django/staticfiles/;
}
## this is to alias the /media to the /media folder inside django container
location /media/ {
alias /django/media/;
}
## this is for the various SSL settings
include /etc/nginx/conf.d/ssl_common.conf;
# include /etc/nginx/conf.d/ssl_enp.conf;
ssl_certificate /etc/internal_trust/live/domain_1/domain_1.crt;
ssl_certificate_key /etc/internal_trust/live/domain_1/domain_1.key;
}
# for *.sg
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name domain_2;
location /websocket/ {
proxy_pass http://websocket:8001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
## this is to proxy pass to the django container
location / {
proxy_pass http://django:5000;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
}
location /websockets/ {
try_files $uri @proxy_websocket;
}
location @proxy_websocket {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_pass http://websocket:8001;
}
## this is to alias the /static to the /staticfiles folder inside django container
location /static/ {
alias /django/staticfiles/;
}
## this is to alias the /media to the /media folder inside django container
location /media/ {
alias /django/media/;
}
## this is for the various SSL settings
ssl_certificate /etc/internal_trust/live/domain_2/domain_2.crt;
ssl_certificate_key /etc/internal_trust/live/domain_2/domain_2.key;
}
## this is to block attempts by those using invalid host headers
server {
server_name _;
listen 80 default_server;
# we do not need to cater for ssl 443 for invalid host headers
return 444;
}
but for some reason, the cert that’s being retrieved is always the one for domain_1 even when i visited domain_2.
I am not sure where I went wrong.
domain_1 is working well
2
Answers
i managed to solve my bug
Just change the following block
from
to
Curl simply connected to IP addr and check first SSL in config.
If you have much more virtual hosts, curl get the first domain in alphabet, its normal for request via IP addr.
Example via IP addr (first config with SSL):
But if you use domain name, curl get the specific config with SSL (correct SSL):