Enable Nginx tls sni to support multiple SSL certificates under the same IP address

Enable Nginx tls sni to support multiple SSL certificates under the same IP address

A few days ago, I told my blog to deploy an SSL certificate to improve the performance. Later, I applied for an additional SSL Certificate for my project and deployed it in the same process, I found that all the certificates for the previous domain names were loaded to the newly added certificate. Google then, it turned out that tls sni was not enabled during Nginx compilation, so that only one certificate can be supported under the same IP address.

Check whether tls sni is enabled for installed Nginx

# nginx -V ginx version: nginx/1.6.2built by gcc 4.1.220080704 (Red Hat 4.1.2-55) TLS SNI support disabled configure arguments: --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module

TLS SNI support disabledEnabled

Download OpenSSL that supports SNI

To re-compile Nginx, OpenSSL is required. Download and decompress it to a directory.

# cd ~# wget http://www.openssl.org/source/openssl-1.0.2a.tar.gz  # tar zxvf openssl-1.0.2a.tar.gz

Recompile Nginx

# Cd nginx-1.6.2 # Here suppose you have downloaded the nginx source code than unzip #. /configure -- user = www -- group = www \ -- prefix =/usr/local/nginx \ -- with-http_stub_status_module \ -- with-http_ssl_module \ -- with-http_gzip_static_module \ -- with-openssl = path/to/openssl-1.0.2a # make # mv/usr/local/nginx/sbin/nginx. old # back up the old nginx # cp objs/nginx/usr/local/nginx/sbin/nginx # Replace the compiled nginx

Add the make compilation Option--with-openssl=path/to/openssl-1.0.2aThe parameter points to the OpenSSL directory that you decompress. Do not execute make install after make is compiled. simply copy the compiled nginx execution file under the objs directory to the original path and replace it.

Check that tls sni is enabled.

# nginx -V ginx version: nginx/1.6.2built by gcc 4.1.220080704 (Red Hat 4.1.2-55) TLS SNI support enabled configure arguments: --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_modul --with-openssl=../../openssl-1.0.2a

Although it was a very simple task, I had been tossing for a long time. I always thought that I had written an error in the conf file. Later, I accidentally hit it and found that it was related to not enabling some functions, we hope to help you reduce the unnecessary steps.