nginx - set multiple server_name with ssl-support

PascalTurbo picture PascalTurbo · Jan 21, 2013 · Viewed 90.2k times · Source

I'd love to use nginx to serve a website with multiple domain names and SSL:

  • webmail.example.com
  • webmail.beispiel.de

Both use the same vhost so I only set the server_name twice. Problem is, that I need nginx to serve the correct ssl certificate for each domain name.

Is this possible with one vhost or do I need to set up two vhosts?

Answer

e2-e4 picture e2-e4 · Jan 21, 2013

Edit November 2014: the initial answer is not correct and is incomplete ; it needed a refresh! here it is.

Basically, there are two cases

- You own a wildcard certificate (or multi-domains certificate)

In this case, you may use several vhosts listening to the same IP address/https port, and both vhosts use the same certificate (listening on all interfaces), e.g.

server {
  listen 443;
  server_name webmail.example.com;
  root /var/www/html/docs/sslexampledata;

  ssl on;
  ssl_certificate /var/www/ssl/samecertif.crt;
  ssl_certificate_key /var/www/ssl/samecertif.key;
  ...
}


server {
  listen 443;
  server_name webmail.beispiel.de;
  root /var/www/html/docs/sslbeispieldata;

  ssl on;
  ssl_certificate /var/www/ssl/samecertif.crt;
  ssl_certificate_key /var/www/ssl/samecertif.key;
  ...
}

or in you specific case, having both domains served by the same data

server {
  listen 443;
  server_name webmail.example.com webmail.beispiel.de; # <== 2 domains
  root /var/www/html/docs/sslbeispieldata;

  ssl on;
  ssl_certificate /var/www/ssl/samecertif.crt;
  ssl_certificate_key /var/www/ssl/samecertif.key;
  ...
}



- You have two(+) different certificates

The case above (one IP for all certificates) will still work with modern browsers via Server Name Indication. SNI has the client (browser) send the host it wants to reach in the request header, allowing the server (nginx) to deal with vhosts before having to deal with the certificate. The configuration is the same as above, except that each vhost has a specific certificate, crt and key.

(nginx support SNI from 0.9.8f, check your nginx server is SNI compliant)
(also, SF talks about SNI and browser support)

Otherwise, if you want to reach older browsers as well, you need several vhosts listening each to a different IP addresses/https ports, e.g.

server {
  listen 1.2.3.4:443; # <== IP 1.2.3.4
  server_name webmail.example.com;
  root /var/www/html/docs/sslexampledata;

  ssl on;
  ssl_certificate /var/www/ssl/certifIP1example.crt;
  ssl_certificate_key /var/www/ssl/certifIP1example.key;
  ...
}


server {
  listen 101.102.103:443; <== different IP
  server_name webmail.beispiel.de;
  root /var/www/html/docs/sslbeispieldata;

  ssl on;
  ssl_certificate /var/www/ssl/certifIP2beispiel.crt;
  ssl_certificate_key /var/www/ssl/certifIP2beispiel.key;
  ...
}

The reason is well explained here.