When setting up multiple SSL-enabled virtual hosts on the same IP/port combination using a wildcard certificate, Nginx may serve the same content for different domains despite having separate server blocks configured.
The configuration you provided has a critical limitation: both server blocks listen on 127.0.0.1:443 without the default_server parameter or proper SNI (Server Name Indication) handling. Nginx needs additional directives to properly distinguish between hosts.
Here's the correct way to configure multiple SSL vhosts with a wildcard certificate:
# Host A configuration
server {
listen 443 ssl;
server_name a.example.com;
ssl_certificate /etc/ssl/wildcard.cer;
ssl_certificate_key /etc/ssl/wildcard.key;
# Recommended SSL settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
root /data/httpd/a.example.com;
# Other configurations...
}
# Host B configuration
server {
listen 443 ssl;
server_name b.example.com;
ssl_certificate /etc/ssl/wildcard.cer;
ssl_certificate_key /etc/ssl/wildcard.key;
# Same SSL settings for consistency
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
root /data/httpd/b.example.com;
# Other configurations...
}
- Remove the explicit IP address from
listendirective unless specifically needed - Ensure you're running Nginx 1.15.9+ for best SNI support
- Verify your OpenSSL version supports SNI (
openssl version) - Consider adding HTTP/2 support with
listen 443 ssl http2;
If the issue persists:
- Check Nginx error logs:
tail -f /var/log/nginx/error.log - Verify SNI support with OpenSSL:
openssl s_client -connect a.example.com:443 -servername a.example.com - Test configuration syntax:
nginx -t - Reload Nginx after changes:
nginx -s reload
For better performance with wildcard certificates:
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_buffer_size 4k;
When configuring multiple virtual hosts (vhosts) under the same domain using a wildcard SSL certificate in Nginx, you might encounter a situation where only one vhost gets served regardless of the requested hostname. This typically happens due to incorrect SSL configuration or improper server block setup.
The main reason for this behavior is that Nginx needs to complete the SSL handshake before it can examine the Host header (which contains the server_name). If your SSL configuration isn't properly set up to handle this, Nginx will default to serving whichever server block it matches first in its configuration.
Here's how to correctly set up multiple SSL vhosts with a wildcard certificate:
# Host A Configuration
server {
listen 443 ssl;
server_name a.example.com;
ssl_certificate /etc/ssl/wildcard.cer;
ssl_certificate_key /etc/ssl/wildcard.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
root /data/httpd/a.example.com;
# Other configuration directives...
}
# Host B Configuration
server {
listen 443 ssl;
server_name b.example.com;
ssl_certificate /etc/ssl/wildcard.cer;
ssl_certificate_key /etc/ssl/wildcard.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
root /data/httpd/b.example.com;
# Other configuration directives...
}
1. Each server block should have its own unique server_name directive
2. The SSL certificate and key paths should be identical for all vhosts under the same wildcard domain
3. All server blocks should listen on port 443 with ssl parameter
4. Include proper SSL protocols and ciphers configuration
If you're still experiencing issues, try these troubleshooting steps:
# Check Nginx configuration syntax
nginx -t
# Check which server block Nginx is actually using
openssl s_client -connect a.example.com:443 -servername a.example.com | openssl x509 -noout -text
# Verify server_name matching
sudo nginx -T | grep server_name
When using wildcard certificates with multiple vhosts, consider:
- Using keepalive connections to reduce SSL handshake overhead
- Implementing OCSP stapling for better performance
- Configuring proper SSL session caching