Nginx. How do I reject request to unlisted ssl virtual server?

Question

I have a wildcard SSL certificate and several subdomains on the same ip. Now I want my nginx to handle only mentioned server names and drop connection for others so that it'd look like nginx is not running for unlisted server names (not responding, rejecting, dead, not a single byte in response). I do the following

ssl_certificate         tls/domain.crt;
ssl_certificate_key     tls/domain.key;

server {
  listen 1.2.3.4:443 ssl;
  server_name validname.domain.com;
  //
}

server {
  listen 1.2.3.4:443 ssl;
  server_name _;
  // deny all;
  // return 444;
  // return 404;
  //location {
  //  deny all;
  //}
}

I've tried almost everything in the last server block, but no success. I get either valid response from known virtual server or error code. Please help.

score 20 · Answer 1 · edited Jul 07 '18 at 08:51

The answer by cjc already correctly pointed out the problem with trying to match host names when SSL is enabled. However, it is possible to do it, like this:

server {
    ...

    if ($host !~* ^validname\.domain\.com$ ) {
        return 444;
    }
    ...
}

Note: yes it is true that generally if is evil, but it is safe to use if in this case. (Read the linked page if you need to convince yourself.)

Contrarily to what has been suggested, just adding the following block won't work:

server {
    listen 80;
    listen 443 ssl;
    return 444;
}

because an SSL certificate that matches validname.domain.com won't match some random domain name. I've tried it, and nginx acted like the block was not present at all.

This also won't work:

server {
    listen       443;
    server_name    _;
    return 444; 
}

because it will make every single HTTPS connection on port 443 fail, even those that should go through. I've tried this one too. wget reported an SSL handshake error.

This answer is absolutely right. Just for those who doubt you should to add this section to the working server config. So for the topic starter config would be server { listen 443 ssl; server_name validname.domain.com; if ($host !~* ^validname\.domain\.com$ ) { return 444; } } — Ivan Yaremchuk, Feb 26 '20 at 03:05
This doesn't work for me, e.g. curl reports "certificate subject name (realhostname) does not match target host name 'someipaddress'" — Martin Fido, Oct 16 '20 at 06:51

icebox · Answer 2 · 2023-05-25T09:39:18.447

At this time, the answer to this question can be updated.

For Nginx ≥ 1.19.4: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake

server {
    listen               443 ssl default_server;
    ssl_reject_handshake on;
}

server {
    listen              443 ssl;
    server_name         example.com;
    ssl_certificate     example.com.crt;
    ssl_certificate_key example.com.key;
}

For Nginx < 1.19.4: Using https://git.hakase.app/Hakase/openssl-patch

http {
    # control options
    strict_sni on;
    strict_sni_header on;

    # fake server block
    server {
        server_name  localhost;
        listen       80;
        listen       443 ssl default_server; # "default_server" is necessary
        ssl_certificate /root/cert.crt; # Can be any certificate here
        ssl_certificate_key /root/cert.key; # Can be any certificate here

        location / {
            return 444;
        }
    }

    # normal server blocks
    server {
        server_name  normal_domain.tld;
        listen       80;
        listen       443 ssl;
        ssl_certificate /root/cert.crt; # Your real certificate here
        ssl_certificate_key /root/cert/cert.key; # Your real certificate here

        location / {
            echo "Hello World!";   
        }
    }
}

For newbies who is not familiar with applying the patch to Nginx, you can check this: https://stackoverflow.com/questions/64225024/64225025#64225025

Thank you !! Was looking for this for a long time. – Jean-Bernard Jansen Jun 07 '22 at 16:16 — Jean-Bernard Jansen, Jun 07 '22 at 16:16

score 7 · Accepted Answer · answered Mar 27 '12 at 13:30

7

It doesn't work that way: the SSL handshake happens before HTTP, so the name on the certificate will get evaluated in the browser before you can redirect or do anything else inside the nginx configuration.

answered Mar 27 '12 at 13:30

cjc

24,916
3
51
70

3

This is not true: you can do something else at lower level, like dropping connection without any response, as explained in other answers. – collimarco Mar 19 '14 at 15:19

score 7 · Answer 4 · edited Jul 09 '18 at 15:32

7

Most answers here are about why it doesn't work, not how to make it work.

Here is how - you need to make such catch-all server a 'default_server' and need to provide paths to cert/key so that it can decrypt incoming ssl request and match the Host header:

server {
    listen 80 default_server;
    listen 443 ssl default_server;
    server_name _;
    ssl_certificate <path to cert>;
    ssl_certificate_key <path to key>;
    return 404;
}

Note the ssl_certificate/ssl_certificate_key there. If they are not specified, nginx still tries to use such default_server and fails as it can't accept ssl connection w/o a cert/key. One can use any cert/key e.g. self-signed. ...

To generate a self-signed certificate:

openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365

Also see https://serverfault.com/a/841643/87439

edited Jul 09 '18 at 15:32

Amir Hossein Baghernezad

109
7

answered Mar 30 '17 at 20:50

andreycpp

679
8
6

1

Have you tried this? How do you create a SSL certificate that matches a server name of "_"? – Tim Mar 30 '17 at 20:52
Yes, this solution works for me. I had same exact problem and figured from documentation that nginx needs a cert/key as it doesn't look at TLS SNI. You can use any cert/key, e.g. self-signed. – andreycpp Mar 30 '17 at 20:59
Not working for me, even if the client doesn't verify the certificate. Maybe it worked e.g. prior to TLS 1.2? – Martin Fido Oct 16 '20 at 06:39
This still seems to be a nice solution however, as the client gets an invalid response and we don't leak the real hostname. – Martin Fido Oct 16 '20 at 07:22

score 1 · Answer 5 · answered Dec 06 '12 at 22:30

1

I implemented the above solution today, and it worked swimmingly. All URL's not specified are dropped, now. Placing this server code before the actual virtual server entry was key - all mal-formed URL's now go to this 'default' server.

... 
server {
     listen       443;
     server_name    _;
     return 444; }

server {
     listen       443;
     server_name  [URL]

answered Dec 06 '12 at 22:30

david sexton

19
1

2

Nope, this doesn't work for me. – Shinebayar G Mar 21 '20 at 06:56

score -1 · Answer 6 · answered Mar 27 '12 at 20:07

-1

You should be able to handle this by making the server that handles the unlisted items the first server block in your config.

http {
    ...

    server {
        listen 80;
        listen 443 ssl;
        return 444;
    }

    server {
        server_name validname.domain.com;
        ...
    }
}

All domains not specifically identified will be handled by this server block.

answered Mar 27 '12 at 20:07

Dayo

1,826
1
15
12

3

It does not work – Amir Hossein Baghernezad Jul 09 '18 at 06:50

Nginx. How do I reject request to unlisted ssl virtual server?

6 Answers6

Linked