SNI-based SSL solution in Nginx reverse proxy
SNI-based SSL solution in Nginx reverse proxy
With the development of Internet technology, the security issues of Web applications have received more and more attention. SSL certificate, as an encryption technology that provides data transmission security, has become one of the important means to protect web applications. In some special cases, multiple SSL certificates need to be deployed on the same server. At this time, SNI-based SSL solutions emerge as the times require.
1. What is SNI (Server Name Indication)
SNI is a TLS extension protocol that allows the client to include extended fields in the "Client Hello" message when establishing an SSL connection. , tells the server the host name the client wants to connect to. On a single IP address and port, multiple domain names can use different SSL certificates at the same time.
However, SNI is not supported by all browsers and servers. When using SNI, you must ensure that the client and server support the same SSL protocol version, and the client must support SNI extensions. Currently commonly used browsers, such as Chrome, Firefox, IE7 and above, Opera, etc., all support SNI.
2. Nginx reverse proxy and SSL
Nginx is a high-performance web server and supports reverse proxy. A reverse proxy is an information security technology that sends requests to a different server and returns the response to the requester. Reverse proxy servers also enable load balancing and SSL encryption.
The reverse proxy server serves as the middle layer to communicate with the front-end web server and back-end. Nginx supports two service modes: http and https. When using https services, SSL encryption and decryption are required.
Nginx’s SSL support has two modes: single SSL certificate mode and SNI-based multi-certificate mode. In single SSL certificate mode, only one SSL certificate can be used, that is, different SSL certificates cannot be used for different domain names. In the multi-certificate mode based on SNI, multi-domain SSL encrypted transmission can be achieved.
3. SNI-based SSL solution
- Generate SSL certificate
First you need to apply for an SSL certificate and generate the corresponding certificate chain and private key . It is assumed here that we want to use two domain names abc.com and xyz.com and generate two certificates respectively.
Generate certificate:
openssl req -newkey rsa:2048 -nodes -keyout abc.com.key -out abc.com.csr
openssl x509 -req -days 365 -in abc.com.csr -signkey abc.com.key -out abc.com.crt
openssl req -newkey rsa:2048 -nodes -keyout xyz.com.key -out xyz.com.csr
openssl x509 -req -days 365 -in xyz.com.csr -signkey xyz.com.key -out xyz.com.crt
Generate certificate chain:
cat abc.com. crt domain.crt > abc.com-bundle.crt
cat xyz.com.crt domain.crt > xyz.com-bundle.crt
- Configuring Nginx
In the Nginx configuration file, you need to add the following configuration:
http {
...
# Configure SSL cache
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# Configure SSL certificate
server {
listen 443 ssl; server_name abc.com; ssl_certificate /path/to/abc.com-bundle.crt; ssl_certificate_key /path/to/abc.com.key;
}
server {
listen 443 ssl; server_name xyz.com; ssl_certificate /path/to/xyz.com-bundle.crt; ssl_certificate_key /path/to/xyz.com.key;
}
}
Specify ssl_certificate and ssl_certificate_key in the configuration file to use different SSL certificates respectively. At the same time, a server block needs to be configured for each domain name.
- Verify configuration
After restarting Nginx, you can verify whether the configuration takes effect. Enter abc.com and xyz.com in the browser, and the browser will send an SNI request during the TLS handshake phase and return the corresponding SSL certificate. If the request returns normally, it proves that the SNI-based SSL solution has taken effect.
4. Summary
The SNI-based SSL solution can deploy multiple SSL certificates on the same server, which is suitable for scenarios that require the use of multi-domain SSL encryption. However, it should be noted that SNI is not supported by all browsers and servers, so you need to ensure that the client and server support the same SSL protocol version when using it, and the client must support the SNI extension. During the configuration process, you need to configure a server block for each domain name and specify the corresponding SSL certificate and private key.
The above is the detailed content of SNI-based SSL solution in Nginx reverse proxy. For more information, please follow other related articles on the PHP Chinese website!
Choosing Between NGINX and Apache: The Right Fit for Your NeedsApr 15, 2025 am 12:04 AMNGINX and Apache have their own advantages and disadvantages and are suitable for different scenarios. 1.NGINX is suitable for high concurrency and low resource consumption scenarios. 2. Apache is suitable for scenarios where complex configurations and rich modules are required. By comparing their core features, performance differences, and best practices, you can help you choose the server software that best suits your needs.
How to start nginxApr 14, 2025 pm 01:06 PMQuestion: How to start Nginx? Answer: Install Nginx Startup Nginx Verification Nginx Is Nginx Started Explore other startup options Automatically start Nginx
How to check whether nginx is startedApr 14, 2025 pm 01:03 PMHow to confirm whether Nginx is started: 1. Use the command line: systemctl status nginx (Linux/Unix), netstat -ano | findstr 80 (Windows); 2. Check whether port 80 is open; 3. Check the Nginx startup message in the system log; 4. Use third-party tools, such as Nagios, Zabbix, and Icinga.
How to close nginxApr 14, 2025 pm 01:00 PMTo shut down the Nginx service, follow these steps: Determine the installation type: Red Hat/CentOS (systemctl status nginx) or Debian/Ubuntu (service nginx status) Stop the service: Red Hat/CentOS (systemctl stop nginx) or Debian/Ubuntu (service nginx stop) Disable automatic startup (optional): Red Hat/CentOS (systemctl disabled nginx) or Debian/Ubuntu (syst
How to configure nginx in WindowsApr 14, 2025 pm 12:57 PMHow to configure Nginx in Windows? Install Nginx and create a virtual host configuration. Modify the main configuration file and include the virtual host configuration. Start or reload Nginx. Test the configuration and view the website. Selectively enable SSL and configure SSL certificates. Selectively set the firewall to allow port 80 and 443 traffic.
How to solve nginx403 errorApr 14, 2025 pm 12:54 PMThe server does not have permission to access the requested resource, resulting in a nginx 403 error. Solutions include: Check file permissions. Check the .htaccess configuration. Check nginx configuration. Configure SELinux permissions. Check the firewall rules. Troubleshoot other causes such as browser problems, server failures, or other possible errors.
How to start nginx in LinuxApr 14, 2025 pm 12:51 PMSteps to start Nginx in Linux: Check whether Nginx is installed. Use systemctl start nginx to start the Nginx service. Use systemctl enable nginx to enable automatic startup of Nginx at system startup. Use systemctl status nginx to verify that the startup is successful. Visit http://localhost in a web browser to view the default welcome page.
How to check whether nginx is started?Apr 14, 2025 pm 12:48 PMIn Linux, use the following command to check whether Nginx is started: systemctl status nginx judges based on the command output: If "Active: active (running)" is displayed, Nginx is started. If "Active: inactive (dead)" is displayed, Nginx is stopped.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Safe Exam Browser
Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.
EditPlus Chinese cracked version
Small size, syntax highlighting, does not support code prompt function
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
Dreamweaver CS6
Visual web development tools
SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.
