Submitted by aitte on Mon, 02/11/2013 - 15:21
in virtualmin config I set "Allow multiple SSL websites on the same IP" to yes.
this is good, I can make more than 1 site on teh same ip/port, but if i look in the nginx config for the site i see that it does not set up ssl properly and also it does not set up port 80 properly.
1st site:
listen 10.0.1.2;
listen 10.0.1.2:443 default ssl;
2nd site:
listen 10.0.1.2;
listen 10.0.1.2:443;
but it should be:
1st site:
listen 10.0.1.2 default; <-- make first site the default on port 80 too
listen 10.0.1.2:443 default ssl;
2nd site:
listen 10.0.1.2;
listen 10.0.1.2:443 ssl; <-- enable ssl for 2nd site
i think i made a fix for ssl bug, in virtualmin-nginx-ssl/virtual_feature.pl...
if (!&find_listen_clash($d->{'ip'}, $d->{'web_sslport'})) {
push(@sslopts, 'default', 'ssl');
}
else {
push(@sslopts, 'ssl');
}
that seems to fix it so 2nd/more sites also get ssl enabled.
but not sure where to fix "default" flag on port 80 for 1st site...
Status:
Active
Comments
Submitted by JamieCameron on Mon, 02/11/2013 - 19:41 Comment #1
Only one virtual server can have the
default
flag set on the port 80listen
line, right?It seems like it would cause problems if Virtualmin added the
default
option to all new domains.Submitted by aitte on Mon, 02/11/2013 - 23:32 Comment #2
yes only one can have default flag on an ip:port combo, but re-read the report, i showed that the 1st server doesnt get it either even when it is the only server.
he report shows what flags are set for server 1 and server 2 and what they should have been.
Submitted by JamieCameron on Tue, 02/12/2013 - 00:23 Comment #3
Actually, I just remembered that Virtualmin has another way of setting the default site already - you can go to Server Configuration -> Website Options, and change "Default website for IP address?" to "Yes".
However, this is implemented by adding the domain's IP to the
server_name
directive. This seems to work .. but if it isn't the Nginx-recommended solution, I'd be open to changing it.Submitted by aitte on Tue, 02/12/2013 - 00:41 Comment #4
oh, thats not correct hehe.
nginx finds default site in this way:
any site say as "default" for the ip/port/proto is first choice. and it will be the 1st choice for what ssl certificate or site to show.
then, it check sni / ssl and choose another ssl cert if it should if browser support and ask for it.
then, it checks "Host:" http header to find the site to show. if host header was missing it use default site forip.
see here: http://nginx.org/en/docs/http/request_processing.html
i see it even suggest using :80 after port 80 binds... following its suggestions, this is the correct for a default site:
and this is the correct for not default:
:)
oh and the "ssl" is because port 443 or 80 has no meaning to it. you could say "listen 10.1.1.2:80 ssl" and it would run https on 80! so you must have "ssl" after all 443 ports!
i made patch for ":443 ssl" for not-default sites in post 1, but i dont know where to edit the other ":80 default" / ":80" thing...
Submitted by JamieCameron on Tue, 02/12/2013 - 18:05 Comment #5
The change to add
ssl
for port 443 listen lines is definitely correct, and will go into the next release.I will look into what is needed to better handle the default non-SSL site.