assigning different SSL cert -- per ingress/listener IP?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

assigning different SSL cert -- per ingress/listener IP?

vergil
I have a single Nginx server configured to listen on two IPs on my VPS host
-- an external/public IP (X.X.X.55) and an internal/LAN IP (10.10.10.55).

Atm, it's a *single* "server_name" (host.example.com) for both IPs ...
handled by a split-horizon DNS that returns the IP address for that hostname
depending on the query origin -- public net, or internal LAN.

It works as expected.

I'd _like_ to setup different SSL cert/key/CA handshake configs to be used
-- depending on the ingress IP.

Specifically,

for ingress via internal/LAN IP (10.10.10.55), I want to use an internally
generated, self-signed cert -- from my own/local CA -- with ssl verify ON,

and

for ingress via external/public IP (X.X.X.55), I want to use a
LetsEncrypt-generated public cert, with ssl verify OFF.

Is this^ possible with Nginx config?  Any examples?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,287957,287957#msg-287957

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: assigning different SSL cert -- per ingress/listener IP?

J.R.
> I'd _like_ to setup different SSL cert/key/CA handshake configs to be used
> -- depending on the ingress IP.

You can specify an IP with the listen directive:

http://nginx.org/en/docs/http/ngx_http_core_module.html#listen

So you would end up with two similar copies of each 'server'... The
only difference in directives being listen and the ssl certs...
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx