It's not just for multiple subdomains like sub1.example.com and sub2.exmaple.com. You can have any unrelated domains you want on the cert.
You don't need multiple IPs and you don't even need SNI with its legacy client compatibility problems (now mostly well past). Just get a certificate that covers all the domains you use.
There's no reason at all to suffer with the setup and security and resource problems of SNI or multiple IPs outside extreme scenarios.
Determined people would be still able to find it out, more or less, despite not having it handy in their web browser under the field for the certificate's Subject Alternative Name. However, there is nothing stopping you from issuing separate certificates for each domain (possibly with subdomains) and configuring your webserver appropriately with SNI.
I have been using precisely Nginx to serve multiple HTTPS domains with certificates from Let's Encrypt since the first few weeks after it came out, so I am not sure why OP thinks it's strictly necessary to assign them separate IP addresses. Generally speaking, there is nothing wrong with that, and it is indeed a somewhat cleaner solution, if it wasn't for the IPv4 examples, oh my...
"Who still use Windows XP?" I hear you ask?
Just under 10% of all users[1]. Enough to make SNI problematic. In a few years time, we'll be OK, but not right now.
[1] https://www.netmarketshare.com/operating-system-market-share...
If you are still using XP it's probably because you have to, and do not have the knowledge to switch to something better. Ergo, it's highly possible that you are still using IE on XP as well, as you don't know any different, or cannot change it due to restrictions, or policy.
It's an accessibility thing. If I designed a new web system that blocked off 10% of the populous, for whatever reason (deaf,blind, not able bodied), then people would call me out on it.
In the main, it's unlikely that anyone still using XP is doing so because they want to. Not everyone is privileged enough to have access to modern equipment.
Running an outdated, decommissioned operating system is something that can be changed. You have no obligation, moral or otherwise, to support Windows 3.1, OS2/Warp, WAP browsers, Gopher clients, or IE5 running on Mac OS 9.
You can still choose to support outdated clients, because it makes financial sense for your organisation - and many places to just that - just as a corporation running outdated software may choose not to update because that's what makes financial sense for them.
Equating support for an accessible service with support for outdated browsers is a non-starter.
And there you go. If you can't be bothered to not use an ancient operating system, that's just too bad. I don't care about people running DOS either.
Luckily it is a lot easier to switch to a modern operating system than to replace nonfunctional parts of the human body.
This is what I do as well, so I became pretty confused when reading the article. I've had no problems running my personal sites (side projects, really) from one NGINX server using different Let's Encrypt certificates for each one.
I used to be a huge fan of nginx and I haven't touched it in a year now. I don't miss it, Caddy is fantastic and handles the Let's Encrypt stuff for me.
When you have to do this: https://gist.github.com/Jamesits/2a1e2677ddba31fae62d022ef8a...
That means your webserver is not going to receive updates until you re-do this manually each time, which is dangerous and not at all something you should be using proffessionally.
For loadbalancers I mainly care about performance and not usability of the configuration language.
Do you want people to know that your server for www.donaldtrumpisgreat.com/www.hillaryclintonisgreat.com is also serving your company's homepage?
Horrible idea depending on your use case. If you are single-tenant, this might work out well for you.
If you are multi-tenant then the information leak is pretty nuts, and not something I can see any of my customers being alright with. That and the whole idea of giving the public access to my customer list is pretty silly to me.
Additionally in many environments the end-user can potentially access the private key on the server (think managed services environments) which is an obvious security hole. You'd think people would realize this, but in my experience they do not. In such cases you just let the private key walk out the door for every domain ever configured for that SSL certificate.
/var/www/html/main-domain | https://mainsite.com
/var/www/html/main-domain/domain2 | https://somesite.com
/var/www/html/main-domain/domain3 | https://somesite2.com
My question I could just easily try it, I'm not sure if it's related to what you mentioned where if you switch domains while logged into one if you'll lose session. I don't expect it to work. I just don't know what happens if people figured out "hey this ip is hosting multiple sites" and could figure out how to traverse each subfolder-site.
This quesiton is related to information leak. I handle the domain mapping with virtualhosts. I also realized when you switch from say non-www to www (I saw you should stick with one) but when you do that you'll lose the session value so I imagine I'm safe.
I made this for exactly this usage: https://github.com/fenollp/nginx_ssl_compose
Just create a folder in ~/www for each host.
It's been working great for around a year. Only interruption was due to docker destroying my containers during the upgrade of docker-engine. Great software guys...
"Can I get a certificate for multiple domain names (SAN certificates or UCC certificates)?
Yes, the same certificate can contain several different names using the Subject Alternative Name (SAN) mechanism.
Source:
https://letsencrypt.org/docs/faq/
https://forums.aws.amazon.com/message.jspa?messageID=520926
What you need to do is enable the proxy protocol on the ELB and then point to NGINX.
http://docs.aws.amazon.com/elasticloadbalancing/latest/class...
You need to also enable the proxy_protocol in nginx.
server {
listen 443 ssl proxy_protocol;
...
}
As a user who really dislikes SNI, I would like to see someone write more about these problems.
The security of TLS has come a long long way since XP and so has research into breaking XP-era ciphers.
https://social.technet.microsoft.com/wiki/contents/articles/...
Figuring out how people are going to get upgraded when problems of some sort are discovered (including software vulnerabilities, not just cryptographic protocol issues) is a major security challenge of our day, maybe the biggest information security problem overall in the world.
The day i swapped over to IP-based connections, the problem resolved itself immediately. If there is something i am missing i would love to know what it is.
Check out the IMHO best TLS SNI test website out there (https://sni.velox.ch/) and the Qualys SSL Labs server test (https://www.ssllabs.com/ssltest/). They may give you a staring point to find out what exactly went wrong with SNI. And the documentation of Nginx, of course.
In particular, I'm curious if this is a misconfiguration on the server end, or a misconfiguration on the client end. Certain VPNs or malware can break SNI.
Another option, if you don't need encryption, is to allow http.
That and a surprising number of "regular" clients still seem to have issues with SNI. My numbers are quite dated, but even as recent as 3 years ago it was something like dropping 10% of traffic for a high traffic site I did A/B testing with. I'm guessing the number was even higher, but the client requested we immediately stop the test once it became apparent it was a major reachability issue affecting revenue.
This article is a bit of an unusual response to a problem of a device not working. When a device of mine doesn't work but others do I put it down to there being a problem with my device, not a widely used technology (like SNI).
It's an interesting article to read though.
Yes you can, unless you want to support very old browsers [0] which would defeat the whole purpose of using SSL/TLS in the first place.
Maybe have a look at Mozilla Security/Server Side TLS [1]
Also SSL certs are issued for FQDN, not IP addresses (unless the IP is public and owned but still it is considered deprecated now [2]).
[0]: https://blogs.msdn.microsoft.com/ieinternals/2009/12/07/unde...
[1]: https://wiki.mozilla.org/Security/Server_Side_TLS
[2]: https://www.digicert.com/internal-names.htm
You must feel very smart to be able to support old Android browsers like Gingerbread which represent 1% of the Android market share [0], and iOS pre v4.0 browsers which represent less than 0,1% of the iOS market share [1].
Now according to TLS/SSL support history of web browsers [2] your server is vulnerable to BEAST, POODLE, CRIME, etc.
Congrats your SSL cert is useless.
[0]: https://developer.android.com/about/dashboards/index.html
[1]: https://david-smith.org/iosversionstats/
[2]: https://en.wikipedia.org/wiki/Template:TLS/SSL_support_histo...
As i stated in the article, and on this HN comment page, my issues were not with antiquated browsers. Safari on my iPhone 7 was failing to connect to sites other browsers were handling fine. I went down this rabbit hole of IP-based differentiation specifically because of that issue.
There seems to be some sense that i published an article about the hardest way to achieve this. I promise had relying on SNI worked liked i expected it to, the IP-based section of the article would be absent. But it didn't and, like i said, IP's are cheap. Adding 1 step to a process of ubiquitous support seems like a reasonable approach to me.
security.acme.certs = {
"example.com".email = "youremail@address.com";
};
services.nginx = {
enable = true;
virtualHosts."example.com" = {
enableSSL = true;
enableACME = true;
};
};
You can find the implementation of the nginx service here: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/s...
See: https://github.com/tzakrajs/cloud-fortress-lets-encrypt
