TLS SNI（TLS Server Name Indication）配置：F5、Nginx和IIS

程序员文章站 2022-07-12 22:31:46

...

TLS Server Name Indication (TLS SNI)

TLS Server Name Indication (TLS SNI)，used when a single virtual IP server needs to host multiple domains.

TLS SNI Support 即一个 IP 地址上支持多个域名的 SSL 站点，或者说一个 IP 上支持绑定多个 SSL 证书。

支持 TLS SNI 的浏览器

Browsers/clients with support for TLS server name indication:

Opera 8.0 and later (the TLS 1.1 protocol must be enabled)
Internet Explorer 7 or later (under Windows Vista and later only, not under Windows XP)
Firefox 2.0 or later
Curl 7.18.1 or later (when compiled against an SSL/TLS toolkit with SNI support)
Chrome 6.0 or later (on all platforms - releases up to 5.0 only on specific OS versions)
Safari 3.0 or later (under OS X 10.5.6 or later and under Windows Vista and later)

To find out if your browser supports SNI, you can go to https://alice.sni.velox.ch/.

F5 BIG-IP TLS SNI Support

版本支持

主流支持版本（v11.6及以上）都可以支持，参看官方文档：v11.6，v12.1，v13.1

配置要点

参看：K13452

分别创建多个域名的（Client or Server）SSL Profile

Server Name，分别填写域名（可选），如 www.a.com，支持通配符 *.a.com 也支持 * 代表任意域名，另外一个如 www.b.com

Default SSL Profile for SNI，其中一个域名需要勾选作为默认

Virtual Servers 的 SSL Profile（Client or Server）同时选择上述创建的多个 SSL Profile

注意：在 BIG-IP 13.x 及以前版本，多个 SSL Profile 的 Ciphers 和 Client Authentication 属性需要配置一致（14.x 及以后版本无此要求）

iRules

另外请注意，没有自动机制允许 BIG-IP 根据在客户端 SSL Hello 消息中接收到的 “Server Name” 值来选择 SSL Profile。

不过，在 iRule 的额外帮助下，您可以根据从客户机收到的初始 HTTP 请求中接收的“主机名”报头值强制选择正确的 serverssl profile。

when HTTP_REQUEST {
    set hostname [getfield [HTTP::host] ":" 1]
}

when SERVER_CONNECTED {
    switch -glob [string tolower $hostname] {
    "siteA.com" {
        SSL::profile serverssl-siteA
    }
    "siteB.com" {
        SSL::profile serverssl-siteB
    }
    default {
    #default serversssl profile to be selected if Host header value cannot be matched with predefined values
        SSL::profile serverssl
    }
    }
}

Nginx TLS SNI Support

版本支持

参看官方文档

OpenSSL supports SNI since 0.9.8f version if it was built with config option “–enable-tlsext”. Since OpenSSL 0.9.8j this option is enabled by default. If nginx was built with SNI support, then nginx will show this when run with the “-V” switch:

$ nginx -V
...
TLS SNI support enabled
...

Nginx 0.x 版本已经支持 TLS SNI

The SNI support status has been shown by the “-V” switch since 0.8.21 and 0.7.62.

The ssl parameter of the listen directive has been supported since 0.7.14. Prior to 0.8.21 it could only be specified along with the default parameter.

SNI has been supported since 0.5.23.

The shared SSL session cache has been supported since 0.5.6.

Version 1.9.1 and later: the default SSL protocols are TLSv1, TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library).

Version 0.7.65, 0.8.19 and later: the default SSL protocols are SSLv3, TLSv1, TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library).

Version 0.7.64, 0.8.18 and earlier: the default SSL protocols are SSLv2, SSLv3, and TLSv1.

Version 1.0.5 and later: the default SSL ciphers are “HIGH:!aNULL:!MD5”.

Version 0.7.65, 0.8.20 and later: the default SSL ciphers are “HIGH:!ADH:!MD5”.

Version 0.8.19: the default SSL ciphers are “ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM”.

Version 0.7.64, 0.8.18 and earlier: the default SSL ciphers are
“ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP”.

一般配置方法

http {

    ......

    server {
        listen       443 ssl http2;
        server_name  a.sysin.org;
        ssl_certificate     a.sysin.org.crt;
        ssl_certificate_key a.sysin.org.key;
        ssl_protocols       TLSv1.2 TLSv1.3;
        ssl_ciphers 'AES128+EECDH:AES128+EDH';
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

        charset utf-8;
        #access_log  /var/log/nginx/host.access.log  main;

        location / {
            root   /usr/share/nginx/html;
            index  index.php index.html index.htm;
        }
    }

    server {
        listen       443 ssl http2;
        server_name  b.sysin.org;
        ssl_certificate     b.sysin.org.crt;
        ssl_certificate_key b.sysin.org.key;
        ssl_protocols       TLSv1.2 TLSv1.3;
        ssl_ciphers 'AES128+EECDH:AES128+EDH';
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

        charset utf-8;
        #access_log  /var/log/nginx/host.access.log  main;

        location / {
            root   /usr/share/nginx/html;
            index  index.php index.html index.htm;
        }
    }
}

IIS TSL SNI Support

参看官方文档

版本支持

要求 IIS 8.0 （Windows 2012）及以上版本

配置要点

创建多个 HTTPs 站点时，需要填写以下内容

Hostname: （注意与 SSL 证书名称保持一致）

Require Server Name Indication: 需要勾选