-1

I'm having a problem with my nginx server configuration. The current behavior is that if a domain can't be found in any of the configuration files, it will redirect to a random other configuration. Instead, I would like to simply display a 404 error or something similar.

I've looked into using "default_server", and looked at other solutions - but then I noticed this:

If I use "default_server" in /etc/nginx/sites-enabled/, and test it with nginx -t, it'll warn me about a duplicate: nginx: [emerg] a duplicate default server for 0.0.0.0:80 in /etc/nginx/sites-enabled/catchall:5. I searched for the duplicate using grep -R default_server /etc/nginx, and there is only one file that has default_server in it: /etc/nginx/nginx.conf.

Now, my confusion starts when I look at that file: It clearly already does what I wanted to do, in this block:

...

server {
  listen 80 default_server;
  listen [::]:80 default_server;
  
  server_name _;

  server_name_in_redirect off;
  log_not_found off;

  return 410;
}

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;

...

My question is: Why does this not work already? Why does a wrong domain that isn't listed in any of the config files not default to a 410 error? Does the nginx.conf even do something? What am I missing here?

I feel uncomfortable changing nginx.conf without asking what the best approach here is, first. All I want to achieve, is to NGINX not randomly jumping to other domains if it can't find a specific domain.

How can I make a 404 catchall and where can I place it?

Katai
  • 185
  • 1
  • 2
  • 12
  • And why not define you catchall virtualhost in sites-enabled only ? So you will not have any duplicates (one in nginx.conf and one in catchall) – Dom Apr 28 '21 at 09:12
  • @Dom that's what I want to do, yes - but I don't understand why the one in nginx.conf doesn't work already. It basically does exactly what I wanted - and nginx complains about duplicate default_servers... so why doesn't it trigger? I'm mainly asking here, because I don't want to break something by touching this - and I'm confused about why it doesn't work already. – Katai Apr 28 '21 at 09:17
  • If Nginx uses a `server` block other than the `default_server` block in `nginx.conf`, either the `listen` port is different or more specific or the `server_name` is matching. You can view the entire configuration across all included files using `nginx -T` (uppercase `T`). – Richard Smith Apr 28 '21 at 09:18
  • @RichardSmith Thank you, I wasn't aware of -T. I think I might suspect what's going on... it could to be related to SSL redirects and certbot. I'm looking into it right now. There is no instruction that matches the domain though, as far as I can tell. It should land on default_server. I'll edit the question if I figure out more. (To clarify: the first config it picks, is the one where certbot added SSL stuff) – Katai Apr 28 '21 at 09:25
  • Clearly the `default_server` block in your question is only for `http` requests. You will need to define a `server` block with `listen 443 ssl default_server;` to catch all `https` requests. – Richard Smith Apr 28 '21 at 09:34
  • @RichardSmith Yes, that was it. As described in here: https://jonnev.se/nginx-default-server-with-https/ in the case of SSL, you can't have a real default_server, and it just picks the best match. That's what was happening, implementing that solution worked for me. Thank you for your help. Should I post an answer, you post one, or delete the question? – Katai Apr 28 '21 at 09:36
  • If you have a solution that may be helpful to other users, you can [answer your own question](https://serverfault.com/help/self-answer). – Richard Smith Apr 28 '21 at 09:45

1 Answers1

0

Thanks to the help Richard and Dom, I managed to figure out the real issue:

The catchall in nginx.conf works - but only for HTTP. The thing is, what was happening here is that there is no real default_server for SSL. It just picks the best match, out of all configurations (in my case, the first configuration handled by CertBot).

I implemented this solution, to solve my case:

https://jonnev.se/nginx-default-server-with-https/

(based on this question: Properly setting up a "default" nginx server for https )

Katai
  • 185
  • 1
  • 2
  • 12