@@ -187,6 +187,57 @@ and you may of course take a look at the commands used in the
187187way of creating your own files.
188188
189189
190+ ## Reject Unknown Server Name
191+ When setting up server blocks there exist a setting called ` default_server ` ,
192+ which means that Nginx will use this server block in case it cannot match
193+ the incoming domain name with any of the other ` server_name ` s in its available
194+ config files. However, a less known fact is that if you do not specify a
195+ ` default_server ` Nginx will automatically use the [ first server block] [ 20 ] in
196+ its configuration files as the default server.
197+
198+ This might cause confusion as Nginx could now "accidentally" serve a
199+ completely wrong site without the user knowing it. Luckily HTTPS removes some
200+ of this worry, since the browser will most likely throw an
201+ ` SSL_ERROR_BAD_CERT_DOMAIN ` if the returned certificate is not valid for the
202+ domain that the browser expected to visit. But if the cert is valid for that
203+ domain as well, then there will be problems.
204+
205+ If you want to guard yourself against this, and return an error in the case
206+ that the client tries to connect with an unknown server name, you need to
207+ configure a catch-all block that responds in the default case. This is simple
208+ in the non-SSL case, where you can just return ` 444 ` which will terminate the
209+ connection immediately.
210+
211+ ```
212+ server {
213+ listen 80 default_server;
214+ server_name _;
215+ return 444;
216+ }
217+ ```
218+
219+ > NOTE: The [ redirector.conf] ( ../src/nginx_conf.d/redirector.conf ) should be
220+ the `default_server` for port 80 in this image.
221+
222+ Unfortunately it is not as simple in the secure HTTPS case, since Nginx would
223+ first need to perform the SSL handshake (which needs a valid certificate)
224+ before it can respond with ` 444 ` and drop the connection. To work around this
225+ I found a comment in [ this] [ 18 ] post which mentions that in version ` >=1.19.4 `
226+ of Nginx you can actually use the [ ` ssl_reject_handshake ` ] [ 19 ] feature to
227+ achieve the same functionality.
228+
229+ ```
230+ server {
231+ listen 443 ssl default_server;
232+ ssl_reject_handshake on;
233+ }
234+ ```
235+
236+ This will lead to an ` SSL_ERROR_UNRECOGNIZED_NAME_ALERT ` error in case the
237+ client tries to connect over HTTPS to a server name that is not served by this
238+ instance of Nginx, and the connection will be dropped immediately.
239+
240+
190241
191242
192243
@@ -208,3 +259,6 @@ way of creating your own files.
208259[ 15 ] : https://derflounder.wordpress.com/2019/06/06/new-tls-security-requirements-for-ios-13-and-macos-catalina-10-15/
209260[ 16 ] : https://superuser.com/questions/738612/openssl-ca-keyusage-extension/1248085#1248085
210261[ 17 ] : https://www.feistyduck.com/library/openssl-cookbook/online/ch-openssl.html
262+ [ 18 ] : https://serverfault.com/a/631073
263+ [ 19 ] : https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake
264+ [ 20 ] : https://nginx.org/en/docs/http/request_processing.html
0 commit comments