When a client browser asks for your server they should request the hostname you registered your SSL certificate for. In our example, we registered www.example.com and example.com. If a remote client asks for anything other than these they should not be allow to get to our site. The reason being that if they did not ask for our site by name then the SSL certificate is going to be invalid. The second reason is security. If you are not asking for our site they you should not be able to get to our site.
A “default blank SSL server” is the catch all for any client not specifically asking for our site by name.
In order to allow multiple SSL certificates to be served from a single IP address we need to use virtual hosting with Server Name Indication. This means that your nginx build must report that it is supporting TLS with SNI like this:
user@machine$ nginx -V
nginx version: nginx/0.8.45
TLS SNI support enabled
If your server supports SNI you are good to go. If not, you will probably need to upgrade your version of Nginx or possibly get a newer version of OpenSSL. The example above used Nginx v0.8.45 and OpenSSL v1.0.0a for example. Now you can setup a second server block in Nginx.conf.
The following code from our “SSL only webserver” example above will tell Nginx to serve out the blank, self-signed SSL certificate for any clients not using the hostname www.example.com or example.com. This includes any scanners looking at the ip address of the server or any bad clients using false “Host:” headers.
## https .:. default blank SSL server
server {
listen 127.0.0.1:443 default;
server_name _;
ssl on;
ssl_certificate ssl_keys/default_blank.crt;
ssl_certificate_key ssl_keys/default_blank.key;
return 403;
}
We need to generate the certificate “crt” and public “key” files for Nginx. The following commands will make a self-signed certificate and key file without a pass phrase. The ssl cert is blank will not give any information to anyone looking at it.
First we need to make a new key. This will be a 4096 bit key signed using AES at 256 bits. Put in any pass phrase you want because we are going to remove it in the next step.
# openssl genrsa -aes256 4096 > default_blank.key
Next, this is a dummy key we really do not care about so this command will remove the pass phrase.
# openssl rsa -in default_blank.key -out default_blank.key
Third, create a certificate signing request. The only question you need to answer if the first one for Country. Put any two(2) letters in like “US” and hit enter for the rest. Make sure to keep the “hostname” entry blank too.
# openssl req -new -key default_blank.key -out default_blank.csr
self sign your own certificate.
# openssl x509 -req -days 1460 -in default_blank.csr -signkey default_blank.key -out default_blank.crt
Finally, copy the default_blank.crt and default_blank.key into your “ssl keys” directory so Nginx can find them.
Testing the setup
How can I time the latency of multiple TCP and SSL handshakes ?
How can I best optimize Nginx for HTTPS connections ?
How many ssl clients and how fast can we encrypt data?
SSL optimization conclusions
Can Nginx support many HTTPS domains on a single ip address ?
When using SSL, where does Nginx get its entropy ?
Is Nginx susceptible to the Slowloris DoS attack like Apache ?
How do I setup log rotation for Nginx logs on OpenBSD?
In what circumstances would Nginx take advantage of multiple CPUs or cores?
From my experience nginx needs more CPUs in 3 cases:
- nginx does a lot of gzip’ing
- nginx handles many SSL connections
- the kernel processes a lot of TCP connections of around 3,000 requests/s.
No comments:
Post a Comment