Require SNI for tls-v1 and tls-v1-1 subdomains for now. Addresses #176.

lgarron · lgarron · commit b5d01fedda69 · 2016-07-01T17:13:20.000-07:00
In particular, this helps avoid unexpected behaviour in modern browsers.
diff --git a/domains/protocol/ssl-v2.conf b/domains/protocol/ssl-v2.conf
@@ -19,7 +19,7 @@ server {
 
 server {
   listen 1002;
-  server_name expired.{{ site.domain }};
+  server_name ssl-v2.{{ site.domain }};
 
   include {{ site.serving-path }}/nginx-includes/wildcard.normal.conf;
   include {{ site.serving-path }}/nginx-includes/ssl-v2.conf;
diff --git a/domains/protocol/ssl-v3.conf b/domains/protocol/ssl-v3.conf
@@ -19,7 +19,7 @@ server {
 
 server {
   listen 1003;
-  server_name expired.{{ site.domain }};
+  server_name ssl-v3.{{ site.domain }};
 
   include {{ site.serving-path }}/nginx-includes/wildcard.normal.conf;
   include {{ site.serving-path }}/nginx-includes/ssl-v3.conf;
diff --git a/domains/protocol/tls-v1-1.conf b/domains/protocol/tls-v1-1.conf
@@ -19,7 +19,7 @@ server {
 
 server {
   listen 1011;
-  server_name expired.{{ site.domain }};
+  server_name tls-v1-1.{{ site.domain }};
 
   include {{ site.serving-path }}/nginx-includes/wildcard.normal.conf;
   include {{ site.serving-path }}/nginx-includes/tls-v1-1.conf;
diff --git a/domains/protocol/tls-v1.conf b/domains/protocol/tls-v1.conf
@@ -19,7 +19,7 @@ server {
 
 server {
   listen 1010;
-  server_name expired.{{ site.domain }};
+  server_name tls-v1.{{ site.domain }};
 
   include {{ site.serving-path }}/nginx-includes/wildcard.normal.conf;
   include {{ site.serving-path }}/nginx-includes/tls-v1.conf;
diff --git a/fallback.conf b/fallback.conf
@@ -10,6 +10,8 @@ server {
 
 server {
   listen 443;
+  listen 1010; # TLS 1.0, which supports SNI
+  listen 1011; # TLS 1.1, which supports SNI
   server_name *.{{ site.domain }};
 
   include {{ site.serving-path }}/nginx-includes/wildcard.fallback.conf;
