0

For the past few weeks I am hunting for a solutions to setup 404 nginx config for default host on port 443. And no solution so far.

To clarify the question properly. Lets take quora.com as example which is running on nginx.

Now Quora.com's public ip is 192.229.182.210 and when you enter the following it shows the following results

http://192.229.182.210 - shows 404 https://192.229.182.210 - Server could be tricking -> then shows 404

Hint - Most other servers running on nginx, says invalid certificate and then forwards to its production host. Example - wordpress.org

The question is should you use a ssl snippet on the default config to pass the 404 as quora's public https ip shows? If yes, was it self signed? If no ssl used, how is it done?

My current config is 

server {
listen 80 default_server;
listen [::]:80 default_server;

server_name _;

return 403;
}
Ajay Singh
  • 298
  • 1
  • 2
  • 12
  • Possible duplicate of [Best practice to handle default\_server and public ip in nginx](https://serverfault.com/questions/847978/best-practice-to-handle-default-server-and-public-ip-in-nginx) – Tero Kilkanen May 14 '17 at 06:57

2 Answers2

0

https://192.229.182.210 shows a certificate warning in Chrome, IE, and Firefox. Perhaps you added an exception that allows it to ignore the certificate mismatch, or you're using a strangely permissive browser. If you're not seeing this clear your cache and exceptions, refresh, and provide a screenshot if it's still happening.

What I describe above is the expected behavior because https certificates are issued against a domain name, not an IP.

I don't think it's possible to display a page based on https requests to your IP without a domain name without getting a certificate warning. That would require an https certificate to be issued to an IP, which is possible but is very rarely done.

Community
  • 1
Tim
  • 30,383
  • 6
  • 47
  • 77
  • Sorry for the misunderstanding. "Server could be tricking" is the certificate warning and i used "->" to explain the flow. Since there are so many people asking the same question in very different ways but no answers found, I prefer what Quora uses, much better than sending the user to Quora.com with a disabled https which would be a default behavior. – Ajay Singh May 13 '17 at 05:14
  • As I said, Quora seems to do the same as everywhere else, it shows "your connection is not private" in Chrome. I really don't know what you're trying to achieve or what you mean by "tricking". You really need to provide a better description and evidence of what you've said. – Tim May 13 '17 at 06:03
  • Huh. I am not claiming anything here. Visit 52.201.116.102 over https, like you said it shows "your connection is not private" and then redirects to Quora.com with ssl on. How did they do this redirect? Its a simple question expecting simple answer? I tried doing a 301 on default config, but it results in "Multiple redirects to server". – Ajay Singh May 13 '17 at 06:19
  • When I visit 192.229.182.210 over https I get a certificate warning. That's it. It never forwards. Nothing happens other than the warning. Same in every browser. When I "curl -k -i https://192.229.182.210/" I get a 404 page, there's no forwarding headers. Either you have an exceptionally weird setup or you're a troll. – Tim May 13 '17 at 09:03
  • Lol. Im not sure who is trolling here or just misunderstanding. Regarding 192.229.182.210, you are right, I said that already in my question. I was talking about https://52.201.116.102. Now coming back to my question, how did they do it, on both ips? Just post the code if you know. No more arguing. – Ajay Singh May 13 '17 at 20:21
  • Same answer, invalid certificate name, nothing else. – Tim May 13 '17 at 22:04
  • That ip no longer responds. Still no answer to my question. Its pretty loud and clear. As you mentioned "I get a 404 page, there's no forwarding headers.", my question was what did they put in the config to get a 404. – Ajay Singh May 13 '17 at 23:22
  • I only get the 404 when I use curl with the -k "ignore certificate errors" flag. In my browser I only ever get the security warning. – Tim May 13 '17 at 23:30
  • 1
    TLS negotiation happens before any HTTP response codes are sent. If TLS negotiation fails due to invalid keys, then one receives only the certificate error, no 404 error code nor 301 redirect. – Tero Kilkanen May 14 '17 at 06:58
0

Finally found the answer on how to get a decent 404 for ssl default ip address.

Source : Properly setting up a "default" nginx server for https

Though not many have upvoted this answer, it looks to be true that Quora uses self signed certificate for default host and shows a custom 404. Using the following will show a default 404.

Set the default config to this.

server {
server_name _;
listen       80  default_server;
return       404;
}


server {
listen 443 ssl;
server_name _;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
return       404;
}

Then make directory for ssl if it doesn't exist 

sudo mkdir -p /etc/nginx/ssl

Then create a self signed ssl for the same

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

Check for errors and reload nginx to get the 404

nginx -t

sudo sytemctl reload nginx
Ajay Singh
  • 298
  • 1
  • 2
  • 12
  • That doesn't solve the problem because browsers don't trust self signed certificates. You'll still get a certificate error in the browser. – Tim May 13 '17 at 05:29
  • Yes you are right. Was happy to see 404. Now ssllabs.com gave a "T" while Quora still gets a "A". What is you solution? How did they do it? – Ajay Singh May 13 '17 at 05:58