7

Can someone explain why Certbot is using the following redirect configuration

server {
    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name example.com;
    listen 80;
    return 404; # managed by Certbot
}

instead of simply this one?

server {
    server_name example.com;
    listen 80;
    return 301 https://$host$request_uri;
}

server_name basically says that this config only applies to example.com, so $host can never be anything different, or am I missing something?

Daniel
  • 6,940
  • 6
  • 33
  • 64
  • See also (both dated at 5/31/2023): Let's Encrypt Community thread [Improve Certbot nginx config generate](https://community.letsencrypt.org/t/improve-certbot-nginx-config-generate/199304), and the corresponding issue [certbot/certbot #9705 - Improve nginx config generator](https://github.com/certbot/certbot/issues/9705) (still open as of 7/24/2023) – toraritte Jul 24 '23 at 12:20

1 Answers1

11

I think the catch here is that if this happens to be the first server for this address/port combination, and no other server for this address/port has the default_server parameter, this server would become the default server, acting as a catch-all for unknown hosts.

See the request processing documentation for an overview, as well as the listen documentation for some specifics on the default server behavior:

The default_server parameter, if present, will cause the server to become the default server for the specified address:port pair. If none of the directives have the default_server parameter then the first server with the address:port pair will be the default server for this pair.

Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94
  • 4
    Correct. [This was actually done to fix a security vulnerability.](https://community.letsencrypt.org/t/security-issue-with-redirects-added-by-certbots-nginx-plugin/51493) – Matt Nordhoff Aug 01 '22 at 07:39