6

By default nginx serves https requests with multiple certificates by using SNI. The fallback for clients not supporting SNI will be the default_server or first vhost which has been configured.

I want nginx to not serve clients which don't support SNI.

For instance, if I check a site with the ssl test on ssllabs.com, the certificate sent by SNI will be shown, but also the fallback certificate without SNI support will be shown.

I'm in search of something like strict-sni in HAProxy.

I'm not using nginx+.

Matthias
  • 193
  • 1
  • 6

1 Answers1

1

Did you try to create a server block with the IP address as server_name using ssl_reject_handshake on from nginx version 1.19.4 and above?
This should prevent answers the the IP without SNI.

unNamed
  • 545
  • 2
  • 11
  • This is extremely new; and most of us will not take a mainline nginx, but will wait for a stable 1.20. – Michael Hampton Dec 11 '20 at 22:06
  • This is not part of the requirements of the OP. Question asked, answer given. Even if probably more than 2 years late :D – unNamed Dec 11 '20 at 22:09
  • I will try it, when a compatible version is in the repository of my distro. Until then you sadly need to wait for me to accept your answer. :( – Matthias Dec 22 '20 at 08:18
  • You can also compile from source code instead of using a repository package. – unNamed Dec 23 '20 at 14:08