|
|
|
|
|
|
by legutierr
4525 days ago
|
|
|
If you are using the same IP to host two domains, each with a separate certificate, then only one certificate can be default and associated with that IP when SNI is not enabled. NGINX is probably choosing one of your two domains to be "default" (if you haven't set it up that way explicitly). What happens when you hit the server without any domain (i.e. via IP address in the browser)? Is the site you see the one that got the A+? SNI is what allows you to use two different certificates (associated with two different domain names) with the same IP address. Your choices seem to be: 1. Rely on SNI, which doesn't work with IE on WinXP, or on 2.x Android; 2. Give your server two public IPs, with each pointing to a different domain; OR 3. Generate a single SAN certificate that references both domains (http://en.wikipedia.org/wiki/SubjectAltName) Not all certificate issuers can generate a SAN certificate. |
|
|
I went through the delta between the reports with a fine-toothed comb and discovered that SNI wasn't the problem. It was a biggie: looks like HSTS wasn't enabled for visits to the static part of the site (like the homepage).
It seems like Nginx is doing something counter-intuitive. I've set HSTS at the server level using the 'add_header' directive.
I've set 'max-age=0, must-revalidate' at the location level using add_header for the static parts of my site. I expected Nginx to add both add_headers, but it only seems to do the "deepest" set of add_headers it finds.
Duplicating the 'add_header' directive at the location level (resulting in two add_header directives) results in HSTS being sent for the static parts also.
Now I get A+ on SSL Labs for both sites.