4

I have many SSL Hosts on my server serving via Nginx SNI.

However, when I enter the IP address of that server, I will see the first configured virtual host with a certificate warning.

Is it possible to completely deactivate a default SSL Host?

Any other thoughts on this how you guys are doing that?

Improve this question
7
  • 1
    Possible duplicate of How to force or redirect to SSL in nginx? Commented Mar 23, 2016 at 17:21
  • No I don't think you can't completely disable it. You can manage the behaviour using the default_server option but if you don't have this nginx will handle "unknown" v.hosts with the first one it finds Commented Mar 23, 2016 at 17:33
  • @hub That is actually a completely different question. It is not a duplicate at all. Commented Apr 3, 2016 at 13:57
  • What kind of response would you want them to get? A connection refused error is not a possibility, because you have to reply to the SYN packet before the client hello will be sent. I think that leaves you with only a few options that are technically possible: 1 A default certificate. 2 An SSL level error message. 3 Silently close the TCP connection. 4 Reset the TCP connection. Commented Apr 3, 2016 at 14:02
  • @kasperd How would you accomplush 3 and 4 then? Commented Apr 3, 2016 at 14:52

2 Answers 2

Reset to default
5

Interesting question. You'd have to issue a certificate for the IP, which according to this question is possible, but I know Let's Encrypt who I use doesn't do it.

Once you have done it you would need to set up a default server for SSL that looks something like this (note that I haven't checked it so it may need tweaking)

server { listen 80 default_server; listen 443 default_server; # not sure if you can / need to specify default server twice ssl_certificate /path; ssl_certificate_key /path; server_name _; access_log off; log_not_found off; return 444; # This means "go away", effectively, but you can choose whatever HTTP status code you want }

Update - as per Michael Hampton's insightful comment below, just use a self signed certificate.

Improve this answer
3
  • 3
    I just use a self-signed certificate for the default virtual host. Nobody should really be hitting it anyway, and most of those who do are malicious, so I don't care what they think. Commented Mar 23, 2016 at 18:46
  • It is still not a satisfying behavior I was hoping for me, but you have totally answered the question., so I will accept it. Thanks Commented Apr 4, 2016 at 6:41
  • @MichaelHampton unfortunately some parasitic scanners will report this as a vulnerability of your website which is a problem if you are a company with customers that look into such reports. No, customers will not care for your explanations that it should be ignored, whatever logical explanation you may have. Commented Apr 20, 2022 at 8:53
1

https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake

server { listen 443 ssl default_server; ssl_reject_handshake on; }
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.