Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
M
M
mihavxc2013-01-13 11:25:19
Lighttpd
mihavxc, 2013-01-13 11:25:19

Lighttpd, ssl and multiple domains?

Please help me solve one problem.

There is a web server running lighttpd and several sites that are spinning on it (only one ip).
There was a task to make https only for one of these domains (domain1.com).

Used the free certificate from startssl and everything works great. But, if you go via https to any other of the domains, we will get the error ssl_error_unrecognized_name_alert in the logs

2013-01-13 12:11:29: (network.c.96) SSL: null SSL_CTX for TLS server name domain2.ru<br>
2013-01-13 12:11:29: (connections.c.299) SSL: 1 error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext<br>


How can I enable SSL for only one domain without affecting other domains?
In the lighttpd config I specify:
$SERVER["socket"] == "domain1.ru:443" {<br>
               ssl.engine = "enable"<br>
               ssl.ca-file = "/etc/lighttpd/ssl.cert/ca-certs.crt"<br>
               ssl.pemfile = "/etc/lighttpd/ssl.cert/domain1.pem"<br>
               server.document-root = "/var/www/domain1.ru/htdocs"<br>
               server.name = "domain1.ru"<br>
}<br>

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
L
lubezniy, 2013-01-13
@lubezniy

Alas, no way. First, an IP connection is established and certificates are exchanged, and only then a request with the Host field is transmitted.

Report
L
la0, 2013-01-13
@la0

See. There is such a thing called SNI (server name indication) supported by all modern operating systems (depends on the browser, but not much). WinXP flies.
If not supported, the behavior is unpredictable (eg nginx issues a second key pair to establish a tunnel, even if there are more than two).

Report
V
VBart, 2013-01-14
@VBart

The answer is not to access other domains via HTTPS. The error will still occur, regardless of whether SNI is used or not, if you do not have a certificate for the requested domain.
The best thing you can do is redirect users to http if they have agreed to accept the wrong certificate. I don't know how to do this in light. In nginx this is easy. Details: nginx.org/en/docs/http/configuring_https_servers.html

Similar questions
W
wowtemp12015-03-02 00:45:36
How to generate a certificate for lighttpd? 2Reply
I
iluhx2015-03-09 16:29:55
Why doesn't Lighttpd cache the .unity3d file? 0Reply
P
partisan422021-04-13 13:05:27
How to publish a resource on lighttpd? 1Reply
D
Dmitry2015-08-17 22:57:59
Why does the Maximum call stack size exceeded error occur? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question