Nginx on the corresponding certificate in accordance with SNI field matches, cipher suite support

Others 2019-07-24 03:21:48 views: null

Background reasons:
SSL layer is actually the TCP / IP protocol layer between the application layer and the transport layer, HTTP has not yet reached this level, but it is located on top of TCP. We know, Nginx support multiple domain names on a single IP, reason is that, HTTP protocol, there is a field Host, by matching the value in this field and nginx.conf server_name each server segment, Nginx you can easily put forwards the request to the corresponding content server up.

But for HTTPS it does not work, why? Mentioned above, SSL is located between the HTTP protocol and TCP protocol, that is, a request comes in, the handshake stage, SSL does not know in the end is which request Host request. And you know Host, will need to decrypt HTTP requests, but this layer precisely to SSL encryption of HTTP. So he caught a chicken or the egg problem.

So with SNI fields: Server Name Indication, works in the SSL handshake stage browser extension field by SNI with the domain name to send information in the past. Nginx so you can serve multiple HTTPS service on one IP. But this technology has three requirements:

1, Nginx need to allow this to set at compile time, you can view by nginx -V

2, Nginx dynamically linked openssl To support this feature, you can also look through nginx -V, if no exceptions, which is to support, in addition openssl support this function from the start 0.9.8f
3, users use a browser that supports this feature

Measured results:
on Nginx configured with different domain names and the corresponding certificates, test the domain name www.huawei.com and www.syjhahaha.com.

1, if by -vk -H curl "the Host: www.syjhahaha.com" " https://10.93.167.110:443/test" https requests initiated, since no extension SNI field information, use the first Nginx a server segments (www.huawei.com) to match, using the information in the certificate and cipher suite support the server segment .
2, found that if a request to initiate a browser (e.g. Chrome), the domain name information may SNI field, an exact match to a specific server. That is, the domain name request www.syjhahaha.com can be matched to a corresponding server section (www.syjhahaha.com), using the certificate and cipher suite information corresponding to.

Guess you like

Origin www.cnblogs.com/linyihan/p/11234055.html
Recommended
The United States plans to restrict the export of large AI models to China and Russia
Apple to reach agreement with OpenAI to bring ChatGPT to iPhone
Ranking
whisper-webui installation tutorial is silky and easy to use
[Base] Laravel concepts laravel basis, the custom service provider: Contracts, ServiceContainer, ServiceProvider, Facades relations
Import torchvision error problem solving DLL: module not found
observer & watch & notify = pub & sub
A small turntable program [HTML + CSS + JS]
CorelDRAW 2018 shortcuts Daquan
Supervise el botón de menú para lograr un gatillo de presión prolongada
JS将时间秒转换成天小时分钟秒的字符串
RIP basic configuration
[Deleted] solution to a problem a few questions (Noip1994)
Daily
More
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)

Code World

© 2018 codetd.com