Closed felixbuenemann closed 5 years ago
Nice update to the default server block. I do not think this will break any functionality. All healthcheck servers should be set to verify SNI correctly.
The way I see it, this is a fix for a bug as we want ssl ciphers to always be enforced on all clients. :100:
This is required so that clients which do not support TLS SNI (Server Name Indication) are not allowed to negotiate insecure ciphers suites. because neither the
ssl_prefer_server_ciphers
nor thessl_ciphers
directive was present in the default vHost.Without this patch the ssl config is set on all application vHosts, but not on the default vHost.
If a client that does not support SNI connects to NGINX, it uses the SSL config from the SSL default server, because it can only detect the corrects vHost after negotiating the connection and looking at the Host header.