4

I want to support SSL for clients which lack of SNI support (IE/FF/Safari on win XP, Android < 2.2, and others).

The solution I picked was to have nginx listen on separate port for each certificate.

Question is: Is there other way to solve this, or was I doing all right?

Tzury Bar Yochay
  • 727
  • 11
  • 24

2 Answers2

3

That is one way to solve it, but if it's a good way can be up for discussion. A lot of limited networks can only access port 80 and 443, making it impossible for those users to reach your content.

The way to solve it would be to have multiple IP addresses and have one certificate on each.

Another solution would be to use UCC SSL Certificate. I don't know how many domains you want to secure and if you often make changes to that, but Comodo offers those.

Frands Hansen
  • 4,657
  • 1
  • 17
  • 29
  • to the public, ports are still 443 and 80. it is an internal mapping only (inside the LB). as for the UCC SSL, it does not scale well, we are going to serve several hundreds domains and beyond ... – Tzury Bar Yochay Jan 29 '12 at 04:56
  • There is no such thing as internal mapping when talking SSL, because the SSL negotiation happens before exchanging any data (such as host header, query string etc.). The only thing your LB can do is balancing load and perhaps SSL off loading.. But it cannot do magic (unfortunately). – Frands Hansen Jan 29 '12 at 09:35
  • On the SSL layer, no, on the TCP later yes. I am mapping on layer 3. SSL decryption/offloading is done in the internal server(s) – Tzury Bar Yochay Jan 29 '12 at 09:51
  • I'm not sure what you are trying to argue here? It seems that you think, that you already have the solution to your problem and know better than us. Why ask then? SSL is negotiated in layer 6 but the HTTP host header is not negotiated until layer 7. So whatever load balancing you do on layer 3 will not change any of the facts: you cannot achieve what your question asks without UCC or SNI. – Frands Hansen Jan 29 '12 at 10:00
  • my question is simple: "Is there other way to solve this, or was I doing all right?" - In other words, I have a working solution, ans I seek to see whether that's fine, or can be done better. So far I haven't got any better solution. Not trying to argue, but to explain. – Tzury Bar Yochay Jan 29 '12 at 15:19
  • Okay :) But then the answer is that there aren't other ways around this issue. Different ports, UCC SSL or SNI are the ways. I would never recommend SNI because there are _a lot_ of WinXP users still. Let's hope ISP's around the globe gets IPv6 implemented soon, then these problems will be history. – Frands Hansen Jan 29 '12 at 20:42
2

That's basically correct if you're limited to one IP address.

If you can use multiple IP addresses, then it would be better to bind to the standard HTTPS port on each IP. The browser address bar will look less strange to an average user in this case, if that's a concern.

cjc
  • 24,916
  • 3
  • 51
  • 70