Why Nginx HTTPS Can Fail: Hidden SNI and SSL Config Pitfalls Explained

Background

The author starts with a foot‑massage shop analogy to illustrate the importance of operating with a proper license, just as a web service must have a valid SSL certificate.

Why use a 7‑layer proxy?

Deploying a 7‑layer proxy solves the problem of slow access for users of a specific carrier by placing the proxy in that carrier’s data center and interconnecting it with other carrier IDC via high‑speed fiber, effectively creating a LAN‑like latency.

Hidden pitfalls when deploying HTTPS on Nginx

In some Nginx versions the same IP + port cannot bind multiple certificates.

If SSL configurations differ between the main nginx.conf and individual vhost.conf files, intermittent SSL verification failures may occur.

Requirements for SNI support

OpenSSL version must be ≥ 0.9.8j.

Nginx version must be ≥ 0.5.32.

Compile Nginx with --with-http_ssl_module and --with-openssl=openssl-1.0.1j to enable the SSL module and load a suitable OpenSSL library.

What is SNI?

SNI (Server Name Indication) is a protocol that allows multiple certificates to be bound to the same IP + port, enabling HTTPS services for several domains on a single server.

Example of inconsistent SSL configuration

In the main nginx.conf the directive ssl_session_cache shared:SSL:50m is used, while a vhost file sets ssl_session_cache shared:SSL:30m . This difference does not trigger a syntax error but leads to intermittent SSL verification failures. All SSL‑related directives must be identical globally.

How Nginx processes SSL

Nginx decrypts the SSL packet before it knows which virtual host the request belongs to; only after the HTTP header is parsed can it route the request. If SSL settings are inconsistent, the request may be rejected.

Best practice after SSL termination

After the proxy machine finishes SSL verification, forward the request to the backend via plain HTTP (port 80) to avoid a second SSL handshake and improve efficiency.

Sample upstream and server configuration

upstream hulk {
    server x.x.x.1 weight=10;
    server x.x.x.2 weight=10;
}
server {
    listen 80;
    listen 443;
    server_name hulk.com;
    location / {
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_pass http://hulk; # use HTTP after SSL termination
    }
    ssl on;
    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 300;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_certificate /usr/local/nginx/ssl/xxx.pm;
    ssl_certificate_key /usr/local/nginx/ssl/xxx.key;
}