Multiple https website with IPv6

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Multiple https website with IPv6

sonpg
I am using nginx with multiples https with a single IPv4 and dedicated IPv6
for each domain.

The problem i'm having is i'm unable to redirect non www to www without
conflicting with the vhosts.

Here my setup

[b]Default[/b]

[code]
server {
        listen 80 default_server;
        listen [::2]:80 default_server;
        server_name localhost;
}
[/code]

[b]domain[/b]

[code]
server {
    listen 80;
        listen [::2]:80;
    server_name domain.com www.domain.com;
    return 301 https://www.domain.com$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::2]:443 ssl http2;
    server_name domain.com;
    return 301 https://www.$server_name$request_uri;
}

server {
        listen 443 default_server ssl http2;
                listen [::2]:443 default_server ssl http2;
        server_name www.domain.com;
}
[/code]

[b]domain 2[/b]

[code]
server {
    listen 80;
        listen [::3]:80;
    server_name domain2.com www.domain2.com;
    return 301 https://www.domain2.com$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::3]:443 ssl http2;
    server_name domain2.com;
    return 301 https://www.$server_name$request_uri;
}

server {
        listen 443 ssl http2;
                listen [::3]:443 default_server ssl http2;
        server_name www.domain2.com;
}
[/code]

So here's the problem

IPv4

https://www.domain.com ✔
https://domain.com ✔

http://www.domain.com ✔
http://domain.com ✔

https://www.domain2.com ✔
https://domain2.com ✗(NET::ERR_CERT_COMMON_NAME_INVALID - domain.com)

http://www.domain2.com ✔
http://domain2.com ✔

IPv6

https://www.domain.com ✔
https://domain.com ✔

http://www.domain.com ✔
http://domain.com ✔

https://www.domain2.com ✔
https://domain2.com ✔

http://www.domain2.com ✔
http://domain2.com ✔

 In IPv4 domain (https://domain2.com) the certificate of domain.com is
served.

What's wrong with my config? If work on IPv6 why not in IPv4 is in same
config block?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,277962,277962#msg-277962

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Multiple https website with IPv6

Francis Daly
On Tue, Jan 02, 2018 at 01:40:20AM -0500, Kurogane wrote:

Hi there,

> I am using nginx with multiples https with a single IPv4 and dedicated IPv6
> for each domain.

Looking at your (edited) config...

> server {
>     listen 443 ssl http2;
>     server_name domain.com;
>     return 301 https://www.$server_name$request_uri;
> }
>
> server {
>         listen 443 default_server ssl http2;
>         server_name www.domain.com;
> }

> server {
>     listen 443 ssl http2;
>     server_name domain2.com;
>     return 301 https://www.$server_name$request_uri;
> }
>
> server {
>         listen 443 ssl http2;
>         server_name www.domain2.com;
> }

It looks to me like your question is "how do I run multiple https web
sites on a single IP address?".

If that is the case, then the modern answer is "use SNI".

http://nginx.org/en/docs/http/configuring_https_servers.html

> What's wrong with my config? If work on IPv6 why not in IPv4 is in same
> config block?

You have a dedicated IPv6 address. You have a shared IPv4 address.

It is not "IPv6 works, IPv4 fails"; it is "dedicated works, shared fails".

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: how do I run multiple https web sites on a single IP address

sonpg
>It looks to me like your question is "how do I run multiple https web sites
on a single IP address?".

>If that is the case, then the modern answer is "use SNI".

>http://nginx.org/en/docs/http/configuring_https_servers.html

I'm not sure what is your point here? nginx have built SNI a decade ago even
CentOS have nginx updated version.

If my nginx not have enabled or not SNI support then why works with www?

Can you enlighten me what i do wrong or what is the "special" configuration
to use SNI with shared IPv4 address.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,277962,277965#msg-277965

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: how do I run multiple https web sites on a single IP address

Valentin V. Bartenev-3
On Tuesday, 2 January 2018 19:27:07 MSK Kurogane wrote:

> >It looks to me like your question is "how do I run multiple https web sites
> on a single IP address?".
>
> >If that is the case, then the modern answer is "use SNI".
>
> >http://nginx.org/en/docs/http/configuring_https_servers.html
>
> I'm not sure what is your point here? nginx have built SNI a decade ago even
> CentOS have nginx updated version.
>
> If my nginx not have enabled or not SNI support then why works with www?
>
> Can you enlighten me what i do wrong or what is the "special" configuration
> to use SNI with shared IPv4 address.
>
[..]

Are you sure that a tool you're using to check supports SNI?

  wbr, Valentin V. Bartenev

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: how do I run multiple https web sites on a single IP address

Francis Daly
In reply to this post by sonpg
On Tue, Jan 02, 2018 at 11:27:07AM -0500, Kurogane wrote:

Hi there,

> >http://nginx.org/en/docs/http/configuring_https_servers.html
>
> I'm not sure what is your point here? nginx have built SNI a decade ago even
> CentOS have nginx updated version.
>
> If my nginx not have enabled or not SNI support then why works with www?

Ah, sorry - I had missed that https://www.domain.com, https://domain.com,
and https://www.domain2.com all worked ok on IPv4. It is only
https://domain2.com that presents an unwanted certificate.

(And it presents the certificate for domain.com, even though
www.domain.com is configured as the default_server.)

Do you have four separate ssl certificate files, each of which is valid
for a single server name?

Or do you have one ssl certificate file which is valid for multiple
server names?

> Can you enlighten me what i do wrong or what is the "special" configuration
> to use SNI with shared IPv4 address.

One guess - is there any chance that the contents of the ssl_certificate
file that applies in the domain2.com server{} block is actually the
domain.com certificate? (Probably not, because the IPv6 connection should
be using the same ssl_certificate, and no error was reported there.)

Other than that, I don't know. Can you provide a complete config and
test commands that someone else can use to recreate the problem?

Or, to rule out any strange IPv4/IPv6 interaction -- do you see the same
behaviour when you remove all of the IPv6 config?

Good luck with it,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: how do I run multiple https web sites on a single IP address

sonpg
>Are you sure that a tool you're using to check supports SNI?

>wbr, Valentin V. Bartenev

What tool you're talking about? this error show in browser.

>Do you have four separate ssl certificate files, each of which is valid
>for a single server name?

>Or do you have one ssl certificate file which is valid for multiple
server names?

I'm not sure why you mean but i have two cert files. Each cert have a valid
common name to use non www and www

>One guess - is there any chance that the contents of the ssl_certificate
f>ile that applies in the domain2.com server{} block is actually the
>domain.com certificate? (Probably not, because the IPv6 connection should
>be using the same ssl_certificate, and no error was reported there.)

domain2.com is just a block only do redirect that all. Is what i put in
initial thread.

server {
listen 443 ssl http2;
listen [::3]:443 ssl http2;
server_name domain2.com;
return 301 https://www.$server_name$request_uri; 
}

This is the full config of this block.

>Or, to rule out any strange IPv4/IPv6 interaction -- do you see the same
>behaviour when you remove all of the IPv6 config?

Same problem with or without IPv6.

I just notice when i disable IPv6 and only access via IPv4 do something
wierd.

When i visit https://domain2.com i got the same error (domain.com
certificate) and chrome or whatever browser say me if i want to continue and
when i click to continue redirect me to www.domain2.com (is what i want to
do and work with domain.com and domain2.com with IPv6). I'm not sure why
first check domain.com and then use domain2.com server block.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,277962,277978#msg-277978

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: how do I run multiple https web sites on a single IP address

Francis Daly
On Wed, Jan 03, 2018 at 02:23:32PM -0500, Kurogane wrote:

Hi there,

> >Are you sure that a tool you're using to check supports SNI?
>
> What tool you're talking about? this error show in browser.

In this case, the tool is "the browser". Which browser, which version?

The aim here is to allow someone who is not you to see the problem that
you are seeing.

Often, it is useful to use a low-level tool which hides nothing. So,
for example, you might be able to test with

  openssl s_client -servername domain.com -connect 127.0.0.1:443

to see what certificate is returned; then repeat the test with
"domain2.com" and "www.domain2.com".

(You could also probably use something like

  curl -k -v --resolve domain.com:443:127.0.0.1 https://domain.com

to see the same information, along with the http request and response.)

> >Do you have four separate ssl certificate files, each of which is valid
> >for a single server name?
>
> >Or do you have one ssl certificate file which is valid for multiple
> server names?
>
> I'm not sure why you mean but i have two cert files. Each cert have a valid
> common name to use non www and www

What does that mean, specifically?

If you do something like

  openssl x509 -noout -text < your-domain.com-cert

do you see

  Subject: CN=www.domain.com

and

  X509v3 Subject Alternative Name: DNS:domain.com

or do you see something else? Same question, for your-domain2.com-cert.



In your nginx config, what "ssl_certificate" lines do you have?

You did not show any inside the server{} blocks; perhaps you have them
inside the http{} block?

The aim here is to allow someone to create an nginx instance which
resembles yours, and which shows the problem, or which does not show
the problem.

The problem that you report should not be happening.

If someone else can re-create it, perhaps there is a bug in nginx (that
has not been reported previously) that can be fixed. If no-one else can
re-create it, perhaps there is something unusual about your configuration
and set-up.

Only you know what your configuration is.

If you provide enough information to allow someone else get a similar
configuration, then maybe they will be able to see the cause of the
problem.

Can you show a complete, but minimum, configuration that still shows
the problem?

> server {
> listen 443 ssl http2;
> listen [::3]:443 ssl http2;
> server_name domain2.com;
> return 301 https://www.$server_name$request_uri; 
> }
>
> This is the full config of this block.

Which ssl_certificate file do you want nginx to use when a request for
this server_name comes in?

How does nginx know that you want nginx to use that ssl_certificate?

> Same problem with or without IPv6.

Ok, that's good to know.

Your example config can now remove all of the IPv6 lines.

Perhaps it can also remove the "http2" parts, to make it even easier
for someone else to build a similar configuration.

> I just notice when i disable IPv6 and only access via IPv4 do something
> wierd.
>
> When i visit https://domain2.com i got the same error (domain.com
> certificate) and chrome or whatever browser say me if i want to continue and
> when i click to continue redirect me to www.domain2.com (is what i want to
> do and work with domain.com and domain2.com with IPv6). I'm not sure why
> first check domain.com and then use domain2.com server block.

That sounds to me like it is exactly the same as what happened when IPv6
was enabled.

Is it different?

If so, that is interesting information. Maybe there is some IPv4/IPv6
interaction involved.

Good luck with it,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: how do I run multiple https web sites on a single IP address

sonpg
I fixed now the problem, not sure is the best way but at least working.

In the two server https block you need to put all cert information
(ssl_certificate bla bla) in domain2.com and www.domain2.com.

I just only put cert information in www.domain2.com and domain2.com only
redirect in what i put in the example config in my initial thread.

I tried to simplify the config to only use less server block possible but
seems i do worse because of that.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,277962,278002#msg-278002

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx