7

I have recently created a nginx server on debian 8. It came up with a default config on /etc/nginx/sites-available/default which redirects to an nginx welcome page.

server {
listen 80 default_server;
listen [::]:80 default_server;

root /var/www/html;
index index.php index.html index.htm index.nginx-debian.html;

server_name your_server_ip;

location / {
    try_files $uri $uri/ =404;
}

location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
}

location ~ /\.ht {
    deny all;
}
}

I had added a new production page, say 'example.com' with ssl on it.

In the config for ../example.com, it is not set as the default server.

server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}

server {

# SSL configuration

listen 443 ssl;
listen [::]:443 ssl;
include snippets/ssl-example.com.conf;
include snippets/ssl-params.conf;
....

Now when I ssl security tested it on https://www.ssllabs.com/ssltest/analyze.html?d=example.com, it got a A+. But it had commented 'Inconsistent server configuration'.

And when I load the ip address, say x.x.x.x on browser as https:// x.x.x.x it loads the same page as of https://example.com but without ssl (green address bar) on it. If i load http:// x.x.x.x it loads the default nginx welcome page.

I tried to set the default config (for ip) to get a forbidden message, I have added the following code

location / {
deny all;
}

Now when I ssl security test the example.com, it says "No secure protocols supported" and no test results appeared.

So my questions are,

What should be done with the default config that comes with nginx which loads for the ip address?

which server_name (config file) should be set as the default_server on 'listen' command?

what should be done with the ip which is currently forwarding https requests to the example domain?

Intended results:-

https:// example.com only should be used to connect to the server and loading ip address can show 'page not found' or 'forbidden', since the example.com will be used for php scripts on it.

SSL tests should give atleast a A rating after the set configuration.

ip address should not accept any connections directly and process it.

Ajay Singh
  • 298
  • 1
  • 2
  • 12

2 Answers2

7

You can have this as your default server block:

server {
    listen 80 default_server;
    listen 443 ssl default_server;

    server_name _;

    ... SSL keys for default server ...

    return 403;
}

This will cause any HTTP connection of which Host: header does not match any other virtual host on the server to return 403 Forbidden error message to the client.

If you use valid SSL keys here for the hostname that does not match any existing hostname, the client will get 403 error page directly. If you use self-signed certificate here, then the user will get an untrusted certificate error message.

Tero Kilkanen
  • 34,499
  • 3
  • 38
  • 58
  • Thank you for the answer. I don't understand the second part, regarding ssl keys. I have ssl certificates for example.com (non self-signed). But no certificates have been setup for ip and else. So should I use the keys for example.com or create (non self-signed) keys for ip? – Ajay Singh May 13 '17 at 03:00
  • Yes, that is what you need, just like in the answer you provided. – Tero Kilkanen May 13 '17 at 18:46
  • The answer didn't work as expected. ssllabs.com gave a "T" rating for misconfiguration (previously A+) and when loading the production site, its somehow checking ip's self signed with sites' ca signed certificate and throwing a mismatch error. Still unsolved hence. – Ajay Singh May 13 '17 at 20:27
  • Please edit your complete nginx configuration into your question. – Tero Kilkanen May 14 '17 at 06:36
3

Found a usable solution finally. Quora does something like this. To redirect the default to 404.

Source : Properly setting up a "default" nginx server for https

By setting the default config to this.

server {
server_name _;
listen       80  default_server;
return       404;
}


server {
listen 443 ssl;
server_name _;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
return       404;
}

Then make directory for ssl if it doesn't exist

sudo mkdir -p /etc/nginx/ssl

Then create a self signed ssl for the same

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

Check for errors and reload nginx to get the 404

nginx -t

sudo sytemctl reload nginx
Ajay Singh
  • 298
  • 1
  • 2
  • 12