Best practice to handle default_server and public ip in nginx
Solution 1
You can have this as your default server block:
server {
listen 80 default_server;
listen 443 ssl default_server;
server_name _;
... SSL keys for default server ...
return 403;
}
This will cause any HTTP connection of which Host: header does not match any other virtual host on the server to return 403 Forbidden error message to the client.
If you use valid SSL keys here for the hostname that does not match any existing hostname, the client will get 403 error page directly. If you use self-signed certificate here, then the user will get an untrusted certificate error message.
Solution 2
Found a usable solution finally. Quora does something like this. To redirect the default to 404.
Source : Properly setting up a "default" nginx server for https
By setting the default config to this.
server {
server_name _;
listen 80 default_server;
return 404;
}
server {
listen 443 ssl;
server_name _;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
return 404;
}
Then make directory for ssl if it doesn't exist
sudo mkdir -p /etc/nginx/ssl
Then create a self signed ssl for the same
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
Check for errors and reload nginx to get the 404
nginx -t
sudo sytemctl reload nginx
Related videos on Youtube
07 : 45
17 : 28
08 : 25
09 : 45
03 : 11
Ajay Singh
Updated on September 18, 2022Comments
-
Ajay Singh almost 2 years
I have recently created a nginx server on debian 8. It came up with a default config on /etc/nginx/sites-available/default which redirects to an nginx welcome page.
server { listen 80 default_server; listen [::]:80 default_server; root /var/www/html; index index.php index.html index.htm index.nginx-debian.html; server_name your_server_ip; location / { try_files $uri $uri/ =404; } location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; } location ~ /\.ht { deny all; } }I had added a new production page, say 'example.com' with ssl on it.
In the config for ../example.com, it is not set as the default server.
server { listen 80; listen [::]:80; server_name example.com www.example.com; return 301 https://$server_name$request_uri; } server { # SSL configuration listen 443 ssl; listen [::]:443 ssl; include snippets/ssl-example.com.conf; include snippets/ssl-params.conf; ....Now when I ssl security tested it on https://www.ssllabs.com/ssltest/analyze.html?d=example.com, it got a A+. But it had commented 'Inconsistent server configuration'.
And when I load the ip address, say x.x.x.x on browser as https:// x.x.x.x it loads the same page as of https://example.com but without ssl (green address bar) on it. If i load http:// x.x.x.x it loads the default nginx welcome page.
I tried to set the default config (for ip) to get a forbidden message, I have added the following code
location / { deny all; }Now when I ssl security test the example.com, it says "No secure protocols supported" and no test results appeared.
So my questions are,
What should be done with the default config that comes with nginx which loads for the ip address?
which server_name (config file) should be set as the default_server on 'listen' command?
what should be done with the ip which is currently forwarding https requests to the example domain?
Intended results:-
https:// example.com only should be used to connect to the server and loading ip address can show 'page not found' or 'forbidden', since the example.com will be used for php scripts on it.
SSL tests should give atleast a A rating after the set configuration.
ip address should not accept any connections directly and process it.
-
Ajay Singh about 7 yearsThank you for the answer. I don't understand the second part, regarding ssl keys. I have ssl certificates for example.com (non self-signed). But no certificates have been setup for ip and else. So should I use the keys for example.com or create (non self-signed) keys for ip?
-
Tero Kilkanen about 7 yearsYes, that is what you need, just like in the answer you provided.
-
Ajay Singh about 7 yearsThe answer didn't work as expected. ssllabs.com gave a "T" rating for misconfiguration (previously A+) and when loading the production site, its somehow checking ip's self signed with sites' ca signed certificate and throwing a mismatch error. Still unsolved hence.
-
Tero Kilkanen about 7 yearsPlease edit your complete nginx configuration into your question.
