How to Host Multiple HTTPS Sites on One Server Using Nginx SNI
This guide explains why separate ports are normally required for multiple SSL sites, how Nginx’s SNI support lets you share a single IP and port, and provides step‑by‑step compilation and configuration examples for www, live, and vod domains.
Introduction
When you run several HTTPS websites on the same server, each site traditionally needs a distinct port because the SSL/TLS handshake occurs before the HTTP Host header is available, so the server cannot determine which certificate to present.
Solution: SNI Support in Nginx
Nginx can use the TLS Server Name Indication (SNI) extension to serve different certificates for different hostnames on the same IP and port. SNI requires both client and server support; the server relies on the OpenSSL library compiled with SNI support (the SSL_CTRL_SET_TLSEXT_HOSTNAME macro).
Note: By default Nginx builds with TLS SNI support disabled . Re‑compile Nginx adding the configure option --with-openssl-opt="enable-tlsext" .
Compilation Example
./configure --prefix=/usr/local/openresty \
--with-luajit \
--with-http_ssl_module \
--with-openssl=/usr/local/openssl \
--with-openssl-opt="enable-tlsext" \
--without-http_redis2_module \
--with-http_iconv_module \
--with-http_stub_status_module \
--with-http_xslt_module \
--add-dynamic-module=/home/www/DEMO/nginx-ts-module \
--add-dynamic-module=/home/www/DEMO/nginx-rtmp-module \
...
make
sudo make installConfiguration
Domain list:
1. Official site: www.tinywan.com – https://www.tinywan.com 2. Live streaming: live.tinywan.com – https://live.tinywan.com 3. Video on demand: vod.tinywan.com – https://vod.tinywan.com main.conf – redirect HTTP to HTTPS:
# Redirect HTTP requests
server {
listen 80;
server_name www.tinywan.com;
rewrite ^ https://$http_host$request_uri? permanent;
}www.conf – configuration for the official site:
server {
listen 443 ssl;
server_name www.tinywan.com;
root /home/www/web/www.tinywan.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/www.tinywan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.tinywan.com/privkey.pem;
server_tokens off;
}live.conf – configuration for the live streaming site (uses the same certificate):
# live.tinywan.com
server {
listen 443 ssl;
server_name live.tinywan.com;
root /home/www/web/live.tinywan.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/www.tinywan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.tinywan.com/privkey.pem;
server_tokens off;
}vod.conf – configuration for the VOD site (also shares the same certificate):
# vod.tinywan.com
server {
listen 443 ssl;
server_name vod.tinywan.com;
root /home/www/web/vod.tinywan.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/www.tinywan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.tinywan.com/privkey.pem;
server_tokens off;
}As long as the OpenSSL library on the server supports SNI and Nginx is compiled against it, the above configurations allow all three domains to serve HTTPS traffic on the standard 443 port without port conflicts.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Open Source Tech Hub
Sharing cutting-edge internet technologies and practical AI resources.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.