nginx responding to unknown host names?

nginx http https

16,130

Solution 1

For http:

server {
    listen 80 default_server;
    server_name _;
    return 404;
}

For https, you actually need to point nginx at ssl cert/key. According to documentation, nginx only looks at 'Host' header and does not look at TLS SNI when matching server_name. This means that nginx must be able to accept/decrypt ssl connection before it can inspect the Host header.

server {
    listen 443 ssl default_server;
    server_name _;
    ssl_certificate <path to cert>
    ssl_certificate_key <path to key>
    return 404;
}

The cert/key can be any cert/key e.g. self-signed.

If cert/key are not specified, nginx still tries to use such default_server and fails as it can't accept ssl connection.

Solution 2

The Catchall server block also needs a server_name that you need to set to an invalid value like _. This way, the server block will not match any other hostname and will just be used as last resort. The config will look like this:

server {
    listen 80;
    listen 443 ssl;

    server_name _;

    return 404;
}

Solution 3

The first server {} in your config is like a catch-all so that is why it is being shown. Add something like this before the listen 80 server {}

server {
    return 404;
}

server {
    listen 80;
    server_name web;
    # ...
}

server {
    listen 443;
    server_name web;
    # ...
}

16,130

Naftuli Kay

Updated on September 18, 2022

Comments

Naftuli Kay over 1 year
I have two domains that point to the same server, one we'll call home and one we'll call web.

I'm running nginx on port 80 for HTTP and 443 for HTTPS. In my server definitions, I've defined two servers:
```
server {
    listen 80;
    server_name web;
    # ...
}

server {
    listen 443;
    server_name web;
    # ...
}
```
In practice, it works just fine. However, when I try accessing home, which points to the same IP address as web, I get served web rather than getting a 404 or the like.

How can I configure nginx to 404 requests that don't match a server name? Do I need to define a default server which just bounces things down to 404s?
Naftuli Kay over 10 years

Great, but it appears that HTTPS requests still get forwarded to the wrong place. I have SNI compiled into nginx, is there a way to do the same thing for unmatched HTTPS requests?
Mike over 10 years

add another for the listen 443 then
Naftuli Kay over 10 years

Unfortunately, on the embedded system that I'm using, this doesn't work and I don't have a way of getting the logs. Upvoting, but unable to verify that this works.
KingSkeleton about 7 years

See my reply - need to specify cert/key because nginx looks at Host header (rather than SNI) for server matching. If cert/key are not specified, nginx still tries to use such default_server and fails as it can't accept ssl connection.