Search code examples
nginxsni

Fallback configuration for unknown host when using Nginx and SNI?

Can anyone indicate how I can configure the default host response when my Nginx server gets asked for a site it does not know about? I tried:

server {
       listen 443 default_server;
       listen [::]:443 default_server;

       server_name _;

       return 444;
}

That just ends up causing all the other sites to cause an 'unexpectedly closed the connection' error.

Note, I have no plans to support legacy https clients (those that aren't aware of SNI).

I am using Nginx 1.14.0

Solution

  • From exploring the web, the answer seems that you need to to create a self-signed certificate and then apply it to the default host. Nobody is going to trust that, but given they are ending up on an unhandled hostname it probably doesn't matter too much?

    I followed the instructions at Digital Ocean, which I will summarise here (there is too much to include the whole content):

    • Create a self-signed certificate
    • Generate the dhparam file
    • Configure the 'default' host to reference that in the https config (port 443)

    Generating the dhparm file (it takes a while):

    sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

    The configuration for 443 for the default host:

    server {
       listen 443 default_server;
       listen [::]:443 default_server;

       include snippets/self-signed.conf;
       include snippets/ssl-params.conf;

       server_name _;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
                ssi on;
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }
}

    The ssl-signed.conf file contents:

    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

    The ssl-params.conf file content:

    # from https://cipherli.st/

# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

    Note the above was tested with Nginx 1.14.0