Building Nginx with TLS SNI Support
From blog.peacon.co.uk
NginX provides TLS SNI support, enabling multiple SSL sites to be served from a single IP.
To enable this support, NginX must be built with OpenSSL installed and itself already built with TLS SNI support - see Building OpenSSL with TLS Extension Support.
Contents |
Confirming Status
The NginX version info shows the status of TLS SNI:
root@core:/usr/local/nginx# sbin/nginx -V nginx version: nginx/0.7.67 built by gcc 4.2.4 (Ubuntu 4.2.4-1ubuntu4) TLS SNI support enabled configure arguments: --with-http_ssl_module --with-http_realip_module --with-sha1=/usr/bin
If support is not present this is simply stated:
TLS SNI support disabled
Building
Provided OpenSSL has been build with TLS SNI support, no special build options are requireed with NginX, but NginX must be built after OpenSSL (if OpenSSL is rebuilt with the support, NginX must then be rebuilt also).
Testing Configuration
The operation of TLS SNI can be tested by creating two SSL listeners on the NginX server and then using OpenSSL to display verbose output of connection attempts:
root@core:/usr/local/nginx# openssl s_client -connect 192.168.1.190:443 -tlsextdebug CONNECTED(00000003) TLS server extension "renegotiate" (id=65281), len=1 0001 - <SPACES/NULS> TLS server extension "server ticket" (id=35), len=0 depth=0 C = UK, ST = UK, L = UK, O = Peacon Ltd, CN = peacon.co.uk
