nginx responding to unknown host names?
Solution 1
For http:
server {
listen 80 default_server;
server_name _;
return 404;
}
For https, you actually need to point nginx at ssl cert/key. According to documentation, nginx only looks at 'Host' header and does not look at TLS SNI when matching server_name. This means that nginx must be able to accept/decrypt ssl connection before it can inspect the Host header.
server {
listen 443 ssl default_server;
server_name _;
ssl_certificate <path to cert>
ssl_certificate_key <path to key>
return 404;
}
The cert/key can be any cert/key e.g. self-signed.
If cert/key are not specified, nginx still tries to use such default_server and fails as it can't accept ssl connection.
Solution 2
The Catchall server block also needs a server_name
that you need to set to an invalid value like _
. This way, the server block will not match any other hostname and will just be used as last resort. The config will look like this:
server {
listen 80;
listen 443 ssl;
server_name _;
return 404;
}
Solution 3
The first server {} in your config is like a catch-all so that is why it is being shown. Add something like this before the listen 80 server {}
server {
return 404;
}
server {
listen 80;
server_name web;
# ...
}
server {
listen 443;
server_name web;
# ...
}
Related videos on Youtube
Naftuli Kay
Updated on September 18, 2022Comments
-
Naftuli Kay over 1 year
I have two domains that point to the same server, one we'll call
home
and one we'll callweb
.I'm running nginx on port 80 for HTTP and 443 for HTTPS. In my server definitions, I've defined two servers:
server { listen 80; server_name web; # ... } server { listen 443; server_name web; # ... }
In practice, it works just fine. However, when I try accessing
home
, which points to the same IP address asweb
, I get servedweb
rather than getting a 404 or the like.How can I configure nginx to 404 requests that don't match a server name? Do I need to define a default server which just bounces things down to 404s?
-
Naftuli Kay over 10 yearsGreat, but it appears that HTTPS requests still get forwarded to the wrong place. I have SNI compiled into nginx, is there a way to do the same thing for unmatched HTTPS requests?
-
Mike over 10 yearsadd another for the listen 443 then
-
Naftuli Kay over 10 yearsUnfortunately, on the embedded system that I'm using, this doesn't work and I don't have a way of getting the logs. Upvoting, but unable to verify that this works.
-
KingSkeleton about 7 yearsSee my reply - need to specify cert/key because nginx looks at Host header (rather than SNI) for server matching. If cert/key are not specified, nginx still tries to use such default_server and fails as it can't accept ssl connection.