|
|
|
|
|
|
by mercora
1785 days ago
|
|
|
what i do is somewhat like you suggest. if haproxy cant determine which hostname it should serve it responds with a "503 Service Unavailable". However, if i expect someone to be able to actually receive that i still need to present a certificate to the client. i use wildcard certificates for this reason. the server wont tell you what names would actually work... you could just terminate connections or signal some kind of handshake error immediately instead though... most sites and services aren't likely to do that as its not very helpful in figuring out why it went wrong or explicitly will try to make it work for clients not supporting this. that's why i noted it being practical as long as incompatible clients are expected to work... |
|
|
If a web browser connects without specifying a name and it hoped to reach some.nonsense.example your wildcard certificate doesn't help it and it won't display your 503 Service Unavailable error, you aren't some.nonsense.example, it cannot proceed, so you shouldn't bother trying to "help".