Multiple server definitions with SSL

luislavena · July 26, 2011, 6:45pm

We recently had a problem where we created a new server configuration
(for http with and without ssl on ports 443 and 80 respectively) on a
shared web server which also included a number of other nginx servers
similarly configured.

Unfortunately, we neglected to include the ssl_certificate and
ssl_certificate_key directives for the new server. So, the
configurations looked something like this:

START CONFIG

Pre-existing, working server definition (one of several)

server {
listen 80;
listen 443 ssl;

server_name first.example.com;

ssl_certificate /path/to/ssl.crt
ssl_certificate_key /path/to/key.crt

snip

}

New server definition

server {
listen 80
listen 443 ssl;

server_name second.example.com;

snip

}

END CONFIG

Now, prior to restarting the nginx process, we issued “nginx -t” to test
the new configuration - everything passed. Once the nginx service was
restarted, however, the old, working site failed to respond to https
requests (cURL said "Unknown SSL protocol error in connection to
first.example.com:443 "), even though the configuration for that
particular server was unchanged.

I’ve since added a default SSL server to my config, which seems to fix
this problem incase ssl_certificate_* lines get missed in future (there
was no server with “listen 443 ssl default” prior to that).

We’re running Ubuntu 10.04 LTS x86_64 with Nginx 1.0.0 stable from PPA:

$ nginx -V
nginx: nginx version: nginx/1.0.0
nginx: TLS SNI support enabled
nginx: configure arguments: --conf-path=/etc/nginx/nginx.conf
–error-log-path=/var/log/nginx/error.log
–http-client-body-temp-path=/var/lib/nginx/body
–http-fastcgi-temp-path=/var/lib/nginx/fastcgi
–http-log-path=/var/log/nginx/access.log
–http-proxy-temp-path=/var/lib/nginx/proxy
–http-scgi-temp-path=/var/lib/nginx/scgi
–http-uwsgi-temp-path=/var/lib/nginx/uwsgi
–lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid
–with-debug --with-http_addition_module --with-http_dav_module
–with-http_geoip_module --with-http_gzip_static_module
–with-http_image_filter_module --with-http_realip_module
–with-http_stub_status_module --with-http_ssl_module
–with-http_sub_module --with-http_xslt_module --with-ipv6
–with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl
–with-mail --with-mail_ssl_module
–add-module=/build/buildd/nginx-1.0.0/debian/modules/nginx-echo
–add-module=/build/buildd/nginx-1.0.0/debian/modules/nginx-upstream-fair

Is this expected behaviour? Should nginx -t not have flagged that there
was no default ssl_certificate(_key) directives defined? Why was the
first server affected?

Ben_Lancaster · July 26, 2011, 8:13pm

Hello!

On Tue, Jul 26, 2011 at 05:44:32PM +0100, Ben Lancaster wrote:

We recently had a problem where we created a new server
configuration (for http with and without ssl on ports 443 and 80
respectively) on a shared web server which also included a
number of other nginx servers similarly configured.

Unfortunately, we neglected to include the ssl_certificate and
ssl_certificate_key directives for the new server. So, the
configurations looked something like this:

[…]

Is this expected behaviour? Should nginx -t not have flagged
that there was no default ssl_certificate(_key) directives
defined?

Probably yes, but this isn’t currently done when you define
ssl servers with

listen ... ssl;

Using “ssl on;” in separate server definition will give you
expected config test error.

Why was the first server affected?

Most likely because you used something like “include
/path/to/files/*;” to include individual config files, and new
server you added was picked up first and become default one.

Maxim D.

Ben_Lancaster · July 28, 2011, 11:36am

Hello!

On Thu, Jul 28, 2011 at 10:55:11AM +0400, Igor S. wrote:

Unfortunately, we neglected to include the ssl_certificate and
ssl servers with
listen ... ssl;
Using “ssl on;” in separate server definition will give you
expected config test error.
I’m going to decprecate “ssl on” directive in favour of “listen … ssl”,
since SSL is rather a port option, but not server one.
The initial “ssl on” was inspired by Apache 1.3.
Apache’s “Listen … https” appeared in somewhere in 2005.

Ok, so should we add config parsing time ssl_certificate checks to
it then? Or, alternatively, drop this checks altogether assuming
there are aNULL ciphers to be used or other SNI-based servers
with certificates defined?

Both should resolve the problem as specified in original message.
I personally think the latter looks more promising.

Maxim D.

Ben_Lancaster · July 28, 2011, 8:55am

On Tue, Jul 26, 2011 at 10:12:43PM +0400, Maxim D. wrote:

ssl_certificate_key directives for the new server. So, the
listen ... ssl;
Using “ssl on;” in separate server definition will give you
expected config test error.

I’m going to decprecate “ssl on” directive in favour of “listen …
ssl”,
since SSL is rather a port option, but not server one.
The initial “ssl on” was inspired by Apache 1.3.
Apache’s “Listen … https” appeared in somewhere in 2005.

–
Igor S.