I'm stuck with configuring nginx regarding SSL and SNI support.
In order to simplify my case let's say I have two domains, foo.com
and bar.com
. I have only one IP and both domains are mapped to this one. I want foo.com
to be available via https
, but not bar.com
. The latter should just be unavailable on port 443. I know this is not possible with plain SSL but I was told that I can safely rely on SNI these days. So I assume that my browser (Chrome) sends the domain of the website it wants to access alongside the SSL init request.
If I access bar.com
, nginx uses the configured certificate issued for bar.com
, perfect. If I access https://foo.com
, for which no listen *:443
directive actually exists, nginx also replies with the certificate for bar.com
, thus Chrome throws a certificate exception. I tried to configure the SSL listen directive for foo.com
and added the following code in the vhost with no success:
if ($server_port = 443) {
return 444;
}
It now sends the wrong certificate and only afterwards denies the connection.
Is it possible to let nginx close the connection before any SSL reply is sent back to the browser if nginx cannot find an appropriate certificate for the requested domain?