If I use the "--with-http_ssl_module" to buld nginx, it will always support sni and some old clients on windows xp will fail to connect.
How could i disable the use of sni on nginx?
SNI is an extension to TLS. This means that clients that don't support it will fall back to using the default mechanism. So no need to disable anything. If something works not as expected, it's simply because you haven't set a non-SNI configuration correctly.
In other words, an old non-SNI client is being presented with an invalid certificate.
To solve this, ensure that your default NGINX server block has the right TLS certificate.
Related
I have been looking for this for a while now. Still not sure if Envoy and Nginx does all the TLS stuff for a web-gRPC client.
In my case, my Nginx config works well with gRPC client and server. However, it is not working for web-gRPC client.
Nginx is no longer being actively supported for grpc-web. The default proxy for grpc-web is Envoy. You should be able to set up TLS by setting some config with the envoy.yaml file. In particularly, look under the 'tls_context' section.
I have various nginx server and recently I note that by default response these servers responses using the HTTP/2 version of protocol.
I don't have configured the http2 parameter in nginx.conf.
Is this the right behavior?
No, that is not the default.
If you observe HTTP2 despite not configuring it in NGINX, you likely have a CDN in front of it, e.g. Cloudflare.
I have two set of users using okhttp/2.7.0 and okhttp/3.12.0. I want to enable http2 in nginx only for those users who are using okhttp/3.12.0. The client ensures to send their identifier. Is there a way to use this information and enable http2 only for those users.
Note: Multiple ports is not an option for me.
My nginx and OS version
nginx version: nginx/1.14.2
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.4)
built with OpenSSL 1.0.2h 3 May 2016
TLS SNI support enabled
My nginx conf goes like this
server {
listen 443 ssl http2;
...
This is not really possible. The client is only sent as part of a HTTP message, which is only sent after the version of HTTP to use is decided, obviously. The initially message to create the connection, and set up the SSL/TLS parameters won’t have the client (which is usually where the HTTP version is decided using the ALPN extension to TLS).
There are however other ways this might be possible, including:
Depending on the capabilities of the client. I’m not familiar with okhttp but from a quick Google it seems ALPN support was only added in v3, so you could disable the older NPN on your server and then, if that is correct, then in theory the older client will not be able to negotiate HTTP/2 so will fallback to HTTP/1.1. Unfortunately there appears to be no Nginx config option for that so you’d need to build a special version of OpenSSL without NPN support and then compile Nginx against that. Probably more hassle than it’s worth.
Use Apache instead of Nginx as it never supported NPN
Using Multiple IPs and somehow directing each version to a separate IP. Though I suspect as you cannot use separate ports you probably cannot do this either.
All in all it’s a bit of hack to be honest and so is not something that I would suggest you pursue. What you have not explained however is why you want to use HTTP/2 for one set of clients but not the other. Maybe there’s a better way to achieve what you want if you explain that.
I've implemented SSL on my site using SNI. Now I know that old browsers does not support SNI facility. What I'm asking is is it possible to redirect the user to some other landing page when he/she is trying to visit my site with a non SNI supported browser.
Please suggest me how can I implement it? I'm not able to find much heloful info about SNI based redirection. If there is some code snippet which you guys use to achive this, then please share it with me.
In short: yes, it is possible in theory, but probably not in any use case relevant in practice.
In detail:
HTTP redirection within a HTTPS connection is done after the TLS connection got established. That means, that you would first need to have a valid certificate which matches all the hosts you have on your site in order to establish the TLS connection. This is usually not the case if you are using SNI because if you have such certificate you would not need SNI at all.
I have a running HTTP web application and I am facing problems to make it run over HTTPS.
I am thinking of bringing some HTTPS Proxy that accepts user requests and forward it to the HTTP web app.
What do you think of that? and How can I accomplish that?
Setting up stunnel is a no-brainer - and its available for Unix/Linux/Posix/MSWindows (you might have mentioned what OS you are using).
(Also you can run the program to encrypt or decrpyt, at the server or at the client side)
It's possible to run Apache Httpd (for example) using HTTPS and use mod_proxy_http as a reverse proxy to forward the requests to your existing HTTP server. Of course, for this to be of any use, you'd need the reverse proxy and the target server to be connected in such a way that connections cannot be sniffed or altered.
You may find that the existing server needs certain extra settings for it to be aware it's using HTTPS (for example, special Valves in Apache Tomcat to set the HTTPS flag to true).
Apache httpd reverse-proxy?