How To Set Up SSL Vhosts Under Nginx + SNI Support (Ubuntu 11.04/Debian Squeeze) - Page 3

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Sun, 2011-09-11 19:33. ::

8 Configure Firefox To Trust CAcert.org (Optional)

If you use a CAcert.org certificate, your browser most likely doesn't trust this certificate and will show a warning. This chapter explains how you can import the CAcert.org root certificate into Firefox so that it won't show this warning anymore (please read http://wiki.cacert.org/BrowserClients for other browsers like MSIE, Safari or Opera).

Please note that if you run an e-commerce web site, you should better buy a certificate from a trusted CA because you can't ask all your visitors to reconfigure their browsers.

Please visit http://www.cacert.org/index.php?id=3 and click on the Root Certificate (PEM Format) link (http://www.cacert.org/certs/root.crt):

The Downloading Certificate dialogue opens. Click on View to examine the certificate:

Please make sure that the fingerprints are as follows:

SHA1 Fingerprint: 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33
MD5 Fingerprint: A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B

Click on Close afterwards:

Next check Trust this CA to identify web sites. and click on OK:

Now go to Tools > Options...

... and then to Advanced > Encryption. Click on Revocation Lists:

The Manage CRLs window opens. Click on Import...:

Fill in the following URL and click on OK: http://crl.cacert.org/revoke.crl

After a few moments you should see the following message. Click on Yes to enable automatic updates:

Check Enable Automatic Update for this CRL and click on OK:

That's it. You should now be able to go to your SSL vhost without getting a browser warning:

 

9 Running Multiple SSL Vhosts On One IP Address With SNI (Server Name Indication)

Please note that currently SNI is not supported by all browsers/operating systems:

Browsers/clients with support for TLS server name indication:

  • Opera 8.0 and later (the TLS 1.1 protocol must be enabled)
  • Internet Explorer 7 or later (under Windows Vista and later only, not under Windows XP)
  • Firefox 2.0 or later
  • Curl 7.18.1 or later (when compiled against an SSL/TLS toolkit with SNI support)
  • Chrome 6.0 or later (on all platforms - releases up to 5.0 only on specific OS versions)
  • Safari 3.0 or later (under OS X 10.5.6 or later and under Windows Vista and later)

To find out if your browser supports SNI, you can go to https://alice.sni.velox.ch/.

If your nginx supports SNI, you don't need any special configuration to use it - you just configure a second, third, ... SSL vhost on the same IP as shown in chapter 5.

To find out if your nginx supports SNI, run:

nginx -V

If it does, you will see the line TLS SNI support enabled in the output:

root@server1:~# nginx -V
nginx version: nginx/0.8.54
TLS SNI support enabled
configure arguments: --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --with-debug --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --with-mail --with-mail_ssl_module --add-module=/build/buildd/nginx-0.8.54/debian/modules/nginx-upstream-fair
root@server1:~#

I can now simply create another SSL host (this time for www.hostmauritius.net) as follows:

vi /etc/nginx/sites-available/www.hostmauritius.net.vhost

If you use nginx >= 0.8.21:

server {
        listen   80; ## listen for ipv4
        listen   [::]:80; ## listen for ipv6
        listen   443 ssl;
        listen   [::]:443 ssl;
        ssl_certificate /etc/ssl/certs/www.hostmauritius.net.pem;
        ssl_certificate_key /etc/ssl/private/www.hostmauritius.net.key;
        server_name  www.hostmauritius.net hostmauritius.net;
        root /var/www/www.hostmauritius.net/web;
        if ($http_host != "www.hostmauritius.net") {
                 rewrite ^ $scheme://www.hostmauritius.net$request_uri permanent;
        }
        location / {
                index  index.php index.html index.htm;
        }
        location ~ \.php$ {
                fastcgi_pass   127.0.0.1:9000;
                fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME  /var/www$fastcgi_script_name;
                include         fastcgi_params;
        }
        location ~ /\. {
                deny  all;
        }
}

If you use nginx < 0.8.21:

server {
        listen   80; ## listen for ipv4
        listen   [::]:80; ## listen for ipv6
        listen   443;
        listen   [::]:443;
        ssl_certificate /etc/ssl/certs/www.hostmauritius.net.pem;
        ssl_certificate_key /etc/ssl/private/www.hostmauritius.net.key;
        server_name  www.hostmauritius.net hostmauritius.net;
        root /var/www/www.hostmauritius.net/web;
        if ($http_host != "www.hostmauritius.net") {
                 rewrite ^ $scheme://www.hostmauritius.net$request_uri permanent;
        }
        location / {
                index  index.php index.html index.htm;
        }
        location ~ \.php$ {
                fastcgi_pass   127.0.0.1:9000;
                fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME  /var/www$fastcgi_script_name;
                include         fastcgi_params;
        }
        location ~ /\. {
                deny  all;
        }
}

(Make sure that you create the certificate and the private key as shown in chapters 4, 6, and 7. You might also have to append a chain file or intermediate certificate to the certificate for this vhost, as described in chapter 7.1. Also, if this is a new vhost, make sure its document root exists.)

If this is a new vhost, you must create a link to it from the /etc/nginx/sites-enabled/ directory to enable it:

cd /etc/nginx/sites-enabled/
ln -s /etc/nginx/sites-available/www.hostmauritius.net.vhost www.hostmauritius.net.vhost

Reload nginx afterwards:

/etc/init.d/nginx reload

If all goes well, you can now go to all your SSL sites which run on the same IP without getting a browser warning.

 

10 Links

 

About The Author

Falko Timme is the owner of Boost Your Site mit Timme Hosting - ultra-schnelles nginx-WebhostingTimme Hosting (ultra-fast nginx web hosting). He is the lead maintainer of HowtoForge (since 2005) and one of the core developers of ISPConfig (since 2000). He has also contributed to the O'Reilly book "Linux System Administration".

up

Copyright © 2011 Falko Timme
All Rights Reserved.
add comment | view as pdf view as pdf | print: this | all page(s)
Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.