nginx proxy based on host when using https

Question

I need to use Nginx as an SSL proxy, which forwards traffic to different back ends depending on the subdomain.

I have seem everywhere that I should define multiple \"ser

Answer 1

The short answer is to use Server Name Indication. This should work by default in common browsers and cURL.

Answer 2

I found the solution which is basically to define the SSL options and the SSL certificate outside the "server" block:

ssl_certificate ssl/mysite.com.crt;
ssl_certificate_key ssl/mysite.com.key;
ssl_session_timeout  5m;
ssl_protocols        SSLv3 TLSv1;
ssl_ciphers          ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+EXP;
ssl_prefer_server_ciphers   on;

server {
    listen 80;
    server_name *.mysite.com;
    rewrite ^ https://$host$request_uri? permanent;
}
server {
    listen 443 ssl;
    server_name one.mysite.com;

    ssl on;

    location / {
        proxy_pass http://localhost:8080;
    }
}
server {
    listen 443 ssl;
    server_name two.mysite.com;

    ssl on;

    location / {
        proxy_pass http://localhost:8090;
    }
}

Key things:

• "ssl on;" is the only thing that needs to be within the "server" blocks that listen in https, you can put it outside too, but what will make the "server" blocks that listen in port 80 to use https protocol and not the expected http.
• Because the "ssl_certificate", "ssl_ciphers: and other "ssl_*" are outside the "server" block, Nginx does the SSL offloading without a server_name. Which is what it should do, as the SSL decryption cannot happen based on any host name, as at this stage the URL is encrypted.
• JAVA and curl don't fail to work now. There is no server_name - host miss match.

Answer 3

according to http://www.informit.com/articles/article.aspx?p=1994795, you should indeed have two "server" sections, with two different server names. In each one, you should include your ssl_* directives.