On Sun, August 16, 2020 1:23 pm, hisacro wrote:
> Aug 16, 2020, 11:44 AM by tro...@kagu-tsuchi.com:
>
>> Because it's not the same IP and port anymore. You can only have one
>> thing listening on an ip+port
>
> I got a working httpd config with same IP and same Port
>
> server "domain.tld" {
> listen on $ext_ip tls port 443
> tls {
> certificate "/etc/ssl/domain.tld.fullchain.pem"
> key "/etc/ssl/private/domain.tld.key"
> ciphers "HIGH:!AES128:!kRSA:!aNULL"
> ecdhe "P-384,P-256,X25519"
> }
> }
> server "sub.domain.tld" {
> listen on 0.0.0.0 port 8000 # confusion?
> listen on $ext_ip tls port 443
> tls {
> certificate "/etc/ssl/domain.tld.fullchain.pem"
> key "/etc/ssl/private/domain.tld.key
> }
> }
>
> This indeed listen on same address ($ext_ip) and same port (443)
> and works as intended with different cipher and ecdhe.
> Note: only when I add listen on 0.0.0.0 port 8000
>
>>Httpd allows you to configure multiple
>>"servers" for subdomains but in reality there is one actual server
>>listening and it has to know what parameters to use
>
> Sorry, I don't understand your reasoning because
> shouldn't httpd work the same way with or without extra listen on 0.0.0.0
>
Oh, I see what you're doing. BOTH listen lines are active in the second
server block. When you connect to port 443 with that config, which TLS
settings does it use? I want to guess that because you're lisening on
port 8000 without tls first, the listen with tls is skipped along with the
tls block below it.
