4

I have many SSL Hosts on my server serving via Nginx SNI.

However, when I enter the IP address of that server, I will see the first configured virtual host with a certificate warning.

Is it possible to completely deactivate a default SSL Host?

Any other thoughts on this how you guys are doing that?

kasperd
  • 29,894
  • 16
  • 72
  • 122
lockdoc
  • 241
  • 3
  • 8
  • 1
    Possible duplicate of [How to force or redirect to SSL in nginx?](http://serverfault.com/questions/250476/how-to-force-or-redirect-to-ssl-in-nginx) – hub Mar 23 '16 at 17:21
  • No I don't think you can't completely disable it. You can manage the behaviour using the default_server option but if you don't have this nginx will handle "unknown" v.hosts with the first one it finds – Drifter104 Mar 23 '16 at 17:33
  • @hub That is actually a completely different question. It is not a duplicate at all. – kasperd Apr 03 '16 at 13:57
  • What kind of response would you want them to get? A connection refused error is not a possibility, because you have to reply to the SYN packet before the client hello will be sent. I think that leaves you with only a few options that are technically possible: **1** A default certificate. **2** An SSL level error message. **3** Silently close the TCP connection. **4** Reset the TCP connection. – kasperd Apr 03 '16 at 14:02
  • @kasperd How would you accomplush `3` and `4` then? – lockdoc Apr 03 '16 at 14:52
  • @lockdoc I do not know whether Nginx is capable of doing that. But it is something which at least is possible given the way the protocol works. If that is what you want to achieve, you should update the question to reflect that. – kasperd Apr 03 '16 at 15:18
  • another possible duplicate: https://stackoverflow.com/q/29448014/648741 – jochen Nov 13 '20 at 15:32

1 Answers1

5

Interesting question. You'd have to issue a certificate for the IP, which according to this question is possible, but I know Let's Encrypt who I use doesn't do it.

Once you have done it you would need to set up a default server for SSL that looks something like this (note that I haven't checked it so it may need tweaking)

server {
  listen      80 default_server;
  listen 443 default_server; # not sure if you can / need to specify default server twice
  ssl_certificate /path;
  ssl_certificate_key /path;
  server_name _;
  access_log off; log_not_found off;

    return      444; # This means "go away", effectively, but you can choose whatever HTTP status code you want
}

Update - as per Michael Hampton's insightful comment below, just use a self signed certificate.

Community
  • 1
Tim
  • 30,383
  • 6
  • 47
  • 77
  • 3
    I just use a self-signed certificate for the default virtual host. Nobody should really be hitting it anyway, and most of those who do are malicious, so I don't care what they think. – Michael Hampton Mar 23 '16 at 18:46
  • It is still not a satisfying behavior I was hoping for me, but you have totally answered the question., so I will accept it. Thanks – lockdoc Apr 04 '16 at 06:41
  • @MichaelHampton unfortunately some parasitic scanners will report this as a vulnerability of your website which is a problem if you are a company with customers that look into such reports. No, customers will not care for your explanations that it should be ignored, whatever logical explanation you may have. – Jean-Bernard Jansen Apr 20 '22 at 08:53