nginx with "allow multiple ssl on same ip" is misconfigured

in virtualmin config I set "Allow multiple SSL websites on the same IP" to yes.

this is good, I can make more than 1 site on teh same ip/port, but if i look in the nginx config for the site i see that it does not set up ssl properly and also it does not set up port 80 properly.

1st site:

listen default ssl;

2nd site:


but it should be:

1st site:

listen default; <-- make first site the default on port 80 too
listen default ssl;

2nd site:

listen ssl; <-- enable ssl for 2nd site

i think i made a fix for ssl bug, in virtualmin-nginx-ssl/

if (!&find_listen_clash($d->{'ip'}, $d->{'web_sslport'})) {
        push(@sslopts, 'default', 'ssl');
else {
        push(@sslopts, 'ssl');

that seems to fix it so 2nd/more sites also get ssl enabled.

but not sure where to fix "default" flag on port 80 for 1st site...



Only one virtual server can have the default flag set on the port 80 listen line, right?

It seems like it would cause problems if Virtualmin added the default option to all new domains.

yes only one can have default flag on an ip:port combo, but re-read the report, i showed that the 1st server doesnt get it either even when it is the only server.

he report shows what flags are set for server 1 and server 2 and what they should have been.

Actually, I just remembered that Virtualmin has another way of setting the default site already - you can go to Server Configuration -> Website Options, and change "Default website for IP address?" to "Yes".

However, this is implemented by adding the domain's IP to the server_name directive. This seems to work .. but if it isn't the Nginx-recommended solution, I'd be open to changing it.

oh, thats not correct hehe.

nginx finds default site in this way:

any site say as "default" for the ip/port/proto is first choice. and it will be the 1st choice for what ssl certificate or site to show.

then, it check sni / ssl and choose another ssl cert if it should if browser support and ask for it.

then, it checks "Host:" http header to find the site to show. if host header was missing it use default site forip.

see here:

i see it even suggest using :80 after port 80 binds... following its suggestions, this is the correct for a default site:

listen default;
listen default ssl;

and this is the correct for not default:

listen ssl;


oh and the "ssl" is because port 443 or 80 has no meaning to it. you could say "listen ssl" and it would run https on 80! so you must have "ssl" after all 443 ports!

i made patch for ":443 ssl" for not-default sites in post 1, but i dont know where to edit the other ":80 default" / ":80" thing...

The change to add ssl for port 443 listen lines is definitely correct, and will go into the next release.

I will look into what is needed to better handle the default non-SSL site.