Nginx configuration multiple TLS certificates, as well as TLS SNI

By Nginx

Background

The official domain name filed for the original application was approved, and the TLS certificate was also applied for. The temporary domain name and certificate used before are used as the test environment. Therefore, multiple nginx certificates and multiple domain names must be configured on a single ECS host.

Practice

It is very simple to deploy multiple TLS certificates in nginx, and configure the certificates separately on different virtual hosts. For example, I have two domain names, a.com and b.com, and configure two servers separately in nginx.conf.

1
2
3
4
5
6
7
8
9
10
11
12
 13
14
15
16
17< br>18
19
20
21
  span>
 
server {
 listen 443 ssl http2;
 server_tokens off;
 server_name a.com; 

 ssl_certificate cert/a.com.pem; #Replace domain name.pem with the file name of your certificate. 
 ssl_certificate_key cert/a.com.key; #Replace domain name.key with the key file of your certificate name. 

 # more config
}

server {
 listen 443 ssl http2;
 server_tokens off;
 server_name b.com; 

 ssl_certificate cert/b.com. pem; #Replace domain name.pem with the file name of your certificate. 
 ssl_certificate_key cert/b.com.key; #Replace domain name.key with the key file of your certificate name. 

 # more config
}
  span>

ps. Recommend an online beautification tool for nginx conf configuration: Nginx Beautifier

problem further

Configure multiple domain names on a host (IP), The use of virtual host (virtual host) can be solved. However, when applying for a TLS certificate, a specific domain name and IP address are bound. When establishing a TLS connection, which certificate should the server issue?
Wait, the certificate is clearly bound to the domain name, and the domain name is known. Why is there a question of choosing a certificate?
That’s because the domain name is the concept of http. The client and server establish a tcp connection first, and then pass a TLS handshake to realize https communication. In the beginning, there was no concept of a domain name in this process!
In order to solve the problem of deploying multiple TLS certificates for a host, the SNI extension of TLS is brought.

Share pictures

(Image source: https://blogs.akamai.com/2017/03/reaching-toward-universal-tls-sni.html)

SNI introduction

From the wiki, “Server name indication”

Server name indication (English: Server Name Indication, abbreviation: SNI) is an extended protocol of TLS, under this protocol, at the beginning of the handshake process, the client tells it the name of the host to connect to the server it is connecting to. This allows the server to present multiple certificates on the same IP address and TCP port number, and therefore allows multiple secure (HTTPS) websites (or any other TLS-based services) to be provided on the same IP address without all of them The site uses the same certificate.

In the client hello handshake phase of TLS SNI, an extension field is added to indicate which domain name you want to establish a TLS connection with (note that it is in plain text). The server selects the certificate and issues it based on the SNI. The following is a TLS v1.2 handshake packet capture

Share a picture

This extension field, OpenSSL 0.9.8 version began to support. Modern browsers and servers are supported.

The SNI of TLS v1.2 is transmitted in plain text, which can be directly intercepted by a third party, exposing the domain name, and even preventing the establishment of an https connection (wait, someone is knocking on the door, I will receive a courier first) . . . This is the problem of censorship.

TLS ESNI extension

The SNI of TLS v1.2 is a security hazard caused by plaintext transmission, so is encryption not enough? No, because the TLS connection has not been established yet. This is the question of whether the chicken comes first or the egg comes first.
Google, amazon, microsoft and other big companies have come up with a way. Since SNI is plaintext, I will transmit a pollution-free host, such as their own domain name. After the tls connection is established, the real domain name will be transmitted.
This is the TLS ESNI extension, and the technology used is called Domain fronting (English: Domain fronting).

If you want censorship, you must close it all!
How about it? Isn’t it crazy and cool? However, the ideal is full, and the reality is very skinny. Up to now, Google and Amazon have shut down this service due to indescribable reasons.

I only talk about technical issues here.
Even with TLS v1.3 ESNI, the real domain name is returned after the connection is established, but the traditional DNS query is in plain text! The solution is to encrypt DNS, DNS over TLS (DoT) and DNS over HTTPS (DoH). The details will be studied later.

Summary

  • The configuration of nginx multiple certificates on a single host, configure ssl_certificate and on different servers >ssl_certificate_key.
  • The principle behind it involves the SNI extension of TLS.
  • The SNI extension field of TLS v1.2 is in plain text, and because it is transmitted in the client hello phase, it will be directly acquired by a third party, which brings security risks.
  • TLS v1.3 introduces ESNI extension, technically called domian fronting, which uses a secure host to establish a TLS connection, and then transmits the target domain name. Combined with encrypted DNS, secure communication is realized.

Reference Materials

  • Encrypt it or lose it: how encrypted SNI works
### The author of this article ycwu314, please indicate the source for reprinting https://ycwu314.github.io/p/https-sni-nginx-config/### 

1
2
 3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
 19
20
21
 span> 
server {
 listen 443 ssl http2;
 server_tokens off;
 server_name a. com; 

 ssl_certificate cert/a.com.pem; # Replace domain name.pem with the file name of your certificate. 
 ssl_certificate_key cert/a.com.key; #Replace domain name.key with the key file of your certificate name. 

 # more config
}

server {
 listen 443 ssl http2;
 server_tokens off;
 server_name b.com; 

 ssl_certificate cert/b.com. pem; #Replace domain name.pem with the file name of your certificate. 
 ssl_certificate_key cert/b.com.key; #Replace domain name.key with the key file of your certificate name. 

 # more config
}
  span> 

1
2
3
4
5
6
7
8
9
10
11 
12
13
14
15
16
17
18
19
< span class="li ne">20
21
< /span>
 
server {
 listen 443 ssl http2;
 server_tokens  off;
 server_name a.com; 

 ssl_certificate cert/a.com.pem; #Replace domain name.pem with the file name of your certificate. 
 ssl_certificate_key cert/a.com.key; #Replace domain name.key with the key file of your certificate name. 

 # more config
}

server {
 listen 443 ssl http2;
 server_tokens off;
 server_name b.com; 

 ssl_certificate cert/b.com. pem; #Replace domain name.pem with the file name of your certificate. 
 ssl_certificate_key cert/b.com.key; #Replace domain name.key with the key file of your certificate name. 

 # more config
}
  span>

### The author of this article ycwu314, please indicate the source for reprinting https://ycwu314.github.io/p/https-sni-nginx-config/###

WordPress database error: [Table 'yf99682.wp_s6mz6tyggq_comments' doesn't exist]
SELECT SQL_CALC_FOUND_ROWS wp_s6mz6tyggq_comments.comment_ID FROM wp_s6mz6tyggq_comments WHERE ( comment_approved = '1' ) AND comment_post_ID = 4653 ORDER BY wp_s6mz6tyggq_comments.comment_date_gmt ASC, wp_s6mz6tyggq_comments.comment_ID ASC

Leave a Comment

Your email address will not be published.