7

I have a website running on an Nginx web server which runs over HTTPS. I noticed recently that someone has pointed their domain to my web server and Nginx is serving my website to this bad domain. It looks like it's even indexing in google...

Nginx config:

server {
    listen 443 ssl;
    server_name example.com;
    ssl_certificate     /etc/nginx/ssl/example.com/ssl-bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com/example.com.key;

    root /var/www/example.com;
    index index.html;
}

I have tried adding an if statement to check if the $host matches the server_name as recommended here

server {
    listen 443 ssl;
    server_name example.com;
    ssl_certificate     /etc/nginx/ssl/example.com/ssl-bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com/example.com.key;

      # Check if incoming hostname matches server_name 
      if ($host != $server_name) {
        # If not, return 404
        return 404;
      }

    root /var/www/example.com;
    index index.html;
}

This addition didn't seem to help. Is any of this on the right track? Any suggestions would be much appreciated

simonlehmann
  • 340
  • 1
  • 4
  • 14

2 Answers2

2

I have a website running on an Nginx web server which runs over HTTPS. I noticed recently that someone has pointed their domain to my web server and Nginx is serving my website to this bad domain. It looks like it's even indexing in google...

The best way to deal with this or a similar situation is to create a default catchall server block. For example, here's what I have to serve other domains that are pointed towards my server's IP.

server {
    listen 80 default_server;
    server_name _;

    # deny all
    location / {
        return 403;
    }
}

I hope that helps!

Pothi Kalimuthu
  • 5,734
  • 2
  • 24
  • 37
  • This could be tweaked for SSL too! – Pothi Kalimuthu Jul 20 '17 at 04:52
  • Thanks for the resonse. As I understood it, a catch-all server is good until HTTPS comes into it. How could this be tweaked for HTTPS? – simonlehmann Jul 20 '17 at 05:01
  • Two steps are involved to tweak it for SSL / HTTPS. 1. Add another listen directive `listen 443 default_server`. 2. Include the SSL directives of any existing domain using the keywords ssl_certificate and ssl_certificate_key. I hope that helps. – Pothi Kalimuthu Jul 20 '17 at 05:28
1

Creating a catch-all server would be the best option. You could either return 404;, as suggested, or redirect everything to the canonical hostname; that'd solve the problem with search engines.

Here's my alternative with a complete configuration:

server {
    # catch-all server for both http and https
    listen *:80 default_server;
    listen *:443 default_server;
    server_name _;

    # Your SSL configuration
    ssl_certificate     /etc/nginx/ssl/example.com/ssl-bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com/example.com.key;

    # Redirect to canonical site
    rewrite ^/(.*)$ http://example.com/$1 permanent;
}
Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122