56

I have a website on a VPS.

The issue I am having is that when I enter the IP of the server, it links to the website.
Even when entering mail.domain.com, it does the same thing.

How do I disable that, so a visitor would get a message or be directed to the domain?

I tried disabling the IP and mail a record on cloud flare but it didn't work.

My setup is:

VPS on Linux Debian 
Nginx
no control panel just command line
Cloudflare
DNS setup with BIND
Khaled A
  • 561
  • 1
  • 4
  • 4

10 Answers10

54
server {
    listen      80 default_server;
    listen      [::]:80 default_server;
    server_name "";
    return      444;
}

You need to specify default_server parameter so that all non available server requests goes to this server block which throws 444 error.

444 : CONNECTION CLOSED WITHOUT RESPONSE

ref: https://httpstatuses.com/444

Basil Musa
  • 8,198
  • 6
  • 64
  • 63
41

You can use redirect, nginx config:

server {
        listen 80;
        server_name IP_ADDRESS;
        return 301 http://YOUR.DOMAIN;
}
Laurence
  • 58,936
  • 21
  • 171
  • 212
Chernov
  • 532
  • 3
  • 4
  • 2
    The specific issue that's addressed here is that the IP address has to be explicitly defined and redirected or blocked with a 403 or such. I had removed all references to my IP address in the config and it still showed up for the IP- it was driving me nuts. But it seems that it falls back to allowing IP access if not overwritten. Thanks! – Matt Fletcher Nov 27 '15 at 13:45
  • This also only works for me when listen directive also has the exact IP otherwise nginx matched a more specific server block although the server_name didn't match. – Avamander May 15 '18 at 18:14
  • How can I do a `return 301` based on the visitor: if it is local, nginx should redirect to 192.168.., if it comes from remote, then domain.com. – Timo Jul 15 '18 at 14:11
  • Put this in `/etc/nginx/conf.d/default.conf` – tread Jul 17 '18 at 19:01
  • 2
    Thanks, this works for me but still my app is accessible using `IP_ADDRESS:`. How can I solve that? – Suresh Prajapati Mar 27 '19 at 11:21
  • @SureshPrajapati if your application runs on different port, you should probably make a proxy via nginx. also it is not a good practice to allow other ports open so use your firewall as well to hide the port from the "outside" world – tim.a May 10 '22 at 07:48
19

You can just add a server directive before others.

server {
    listen 80;
    server_name _;
    return 404;
}
okin2014
  • 323
  • 2
  • 5
  • Will that work if one of the other server blocks has `default_server`? Does `_` have special meaning? – mpen Oct 28 '17 at 19:50
  • From https://nginx.org/en/docs/http/server_names.html : In catch-all server examples the strange name “_” can be seen: ...There is nothing special about this name, it is just one of a myriad of invalid domain names which never intersect with any real name. Other invalid names like “--” and “!@#” may equally be used. – uhelp Feb 15 '18 at 05:31
  • 2
    @mpen it won't work if one of the other sets `default_server`. `_` has no special meaning, you can use anything. – Rick May 31 '19 at 04:42
6

You can use redirect, nginx config:

server {
        listen 80;`enter code here`
        server_name IP_ADDRESS;
        return 301 http://YOUR.DOMAIN;
}
pushkin
  • 9,575
  • 15
  • 51
  • 95
Kapil
  • 61
  • 1
  • 1
  • 1
    Welcome to Stack Overflow! Please note that while a code snippet _can_ be a useful answer on its own, it's preferable to leave some commentary for future readers about why this solves the problem. Thanks! – Erty Seidohl May 06 '18 at 16:24
  • The issue with this solution that you need to know IP address of your server upfront. New things (like running on distributed architectures) quite often may move your nginx to different IP's. – Victor Ronin Sep 21 '18 at 01:39
6

Neither of above helped in my case - IP connection to http works as expected but https was redirecting to alphabetically first https virtual site. What was working witn nginx below 1.19.4 was to add null certificate to block:

server {
  listen 80 default_server;
  listen [::]:80 default_server;
  listen 443 default_server;
  listen [::]:443 default_server;

  ssl_certificate /etc/ssl/null.crt;
  ssl_certificate_key /etc/ssl/null.key;

  server_name "";
  return 444;
}

Certificte can be generated with empty CN so you need no worry about fill it.

openssl req -x509 -newkey rsa:2048 -days 10000 -nodes  -subj '/CN=' -keyout null.key -out null.crt

Then http/https returns 444 (ERR_EMPTY_RESPONSE), in different configurations https returns ERR_HTTP2_PROTOCOL_ERROR with your null certificate which is also fine to show there is nothing there.

For nginx 1.19.4 it is simpler. It introduced ssl_reject_handshake on | off (http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake) you can replace certificates 'stuff' with:

server {
  listen 80 default_server;
  listen [::]:80 default_server;
  listen 443 default_server;
  listen [::]:443 default_server;

  ssl_reject_handshake on;

  server_name "";
  return 444;
}

And now you get http 444 (ERR_EMPTY_RESPONSE) and for https ERR_SSL_UNRECOGNIZED_NAME_ALERT. No null certificates are needed.

jareeq
  • 311
  • 2
  • 9
4

you can return any error you find suitable. A list of errors can be found here List_of_HTTP_status_codes

server {
    listen      x.x.x.x:80;
    server_name x.x.x.x;
    return      404;
}
Kareem
  • 5,068
  • 44
  • 38
2

You may try to set the server IP address in:

/etc/nginx/conf.d/default.conf

So it looks like this:

server {
    listen 80;
    server_name localhost IP.OF.VPS.HERE;

Then you can specify the subdomain vhost, like:

server {
        listen 80;
        server_name subdomain.domain.com;

And the main domain, like:

server {
        listen 80;
        server_name www.domain.com domain.com;

Then restart Nginx:

/etc/init.d/nginx restart

Each vhost should have its own *.conf file (for better organization), like:

/etc/nginx/conf.d/subdomain.domain.com.conf
/etc/nginx/conf.d/domain.com.conf
/etc/nginx/conf.d/default.conf
user2972081
  • 573
  • 1
  • 4
  • 15
  • Will all `*.conf` files be read automatically? Or do I need to include them somewhere? – luckydonald Dec 14 '16 at 08:33
  • 1
    @luckydonald nginx.conf automatically includes all files under the conf.d directory with `include /etc/nginx/conf.d/*.conf;` – Ron Jan 14 '18 at 08:34
2

Put this at top of your /etc/nginx/conf.d/SERVER_IP_ADDRESS.conf file and comment everything what is below it.

#disabling accesing server by ip address
server {
        listen SERVER_IP_ADDRESS:80 default;
        server_name _;
        return 404;
}

Then restart your Nginx server (on Ubuntu it is done by service nginx restart this command)

Now when you will put your server's ip address to browser url field you will get 404 error.

Sid
  • 4,302
  • 3
  • 26
  • 27
1
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    listen 443 default_server;
    listen [::]:443 default_server;
    return 444;
}

Don't bother supporting HTTP/2 or SSL connection for a sink. It does catch-all without those unnecesities. For the unsupported, it just refuses such connections.

See https://stackoverflow.com/a/68042877/4510033.

Константин Ван
  • 12,550
  • 7
  • 61
  • 73
0
if ($http_host != "example.com") {
    return 301 https://example.com;
}
guettli
  • 25,042
  • 81
  • 346
  • 663
user3552325
  • 407
  • 5
  • 14