Lighttpd Server Name Indication (SNI)

I installed a new web-server today and tested out its SNI features. SNI solves the problem of hosting multiple virtual hosts on the same server running SSL. In the past, it was not possible to present a different certificate for each virtual host, necessitating the use of other techniques.

This was how I did it at first:

$SERVER["socket"] == "10.0.0.1:443" {
ssl.engine = "enable"
ssl.pemfile = "www.example.org.pem"
}
$HTTP["host"] == "foo.example.org" {
ssl.pemfile = "foo.example.org.pem"
}
$HTTP["host"] == "bar.example.org" {
ssl.pemfile = "bar.example.org.pem"
}

However, after setting it up, it successfully presented different certificates but it seemed to present the wrong ones for different virtual hosts. After mucking about the Internets, I came to the conclusion that my configuration file was in error. A proper SNI configuration should be configured as such:


$SERVER["socket"] == "10.0.0.1:443" {
ssl.engine = "enable"
ssl.pemfile = "www.example.org.pem"

$HTTP["host"] == "foo.example.org" {
ssl.pemfile = "foo.example.org.pem"
}

$HTTP["host"] == "bar.example.org" {
ssl.pemfile = "bar.example.org.pem"
}
}

After that it worked magically. Wow for nested configs!

Update: Turns out that I spoke too soon. The problem still persists.

Advertisements

Published by

Shawn Tan

Chip Doctor, Chartered Engineer, Entrepreneur, Law Graduate.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s