I'm using nginx as SSL terminated TCP endpoint for multiple domains (let's say 100).
There's no need to treat incoming connections differently (they all get proxy'ed to the same backend), however for each (supported) domain nginx should present the client with a valid certificate (valid especially implies here issued and signed for the domain the client attempts to connect to (if domain is part of the 100 supported ones)).
What I tried first was having one server{}-section and specified a ssl_certificate which is issued to all supported domains via the x509 "alternative subject name" extension. So, no SNI involved.
This however has the following drawbacks: a) the number of alternative subjects is limited b) one is leaking the list of all supported domains
So I guess I've to go with SNI and figured I might just concatenate all certificates (one per domain) into one file being then referenced via ssl_certificate (the same with respective private keys, obviously) and nginx -- via some SNI magic -- might pick the correct cert provided from what the client sends as servername. It does not, though, it picks the first one in the file.
Specifying ssl_certificate/ssl_certificate_key appears to be supported, however only for different algorithms/types of certificates (RSA, EC, etc.)
Last option I currently see: Having a server{} section for each supported domain and respective domain specific ssl_certificate/ssl_certificate_key-options set within.
For 100 supported domains this would mean 100 server{}-sections, each looking the same except having a different certificate set for ssl_certificate.
Is there any better way for "just" terminating TCP-SSL connections and then passing them to the ever same next hop, where the only difference is the TLS certificate and its coupled private key?
EDIT: Somehow I missed that one can use variables within the values assigned to ssl_certificate/ssl_certificate_key, like:
ssl_certificate $ssl_server_name.crt;
ssl_certificate_key $ssl_server_name.key;
However that again has some drawbacks: a) every connection attempt causes a filesystem lookup and, if successful, loading the certificate b) the (UNIX-)user nginx runs under (e.g. www-data) needs read permissions on the certificate and key files, as they're now loaded and read on-demand, while when statically defined, nginx loads them before dropping privileges.
