Defining a default server for when vhost does not exist for requested hostname (including blank hostname), for http and https

Ben Johnson ben at
Fri Mar 28 16:51:17 UTC 2014

On 3/28/2014 11:45 AM, Maxim Dounin wrote:
> Hello!
> On Fri, Mar 28, 2014 at 02:53:18PM +0000, Jonathan Matthews wrote:
>> On 28 March 2014 14:31, Ben Johnson <ben at> wrote:
>>> Is there any way to av,oid this certificate being presented, but still
>>> return the 444 response under the conditions I've described?
>> I'd /suspect/ not, as the 444 response can't be "delivered" (i.e. the
>> connection closed) until sufficient information has been passed over
>> the already-SSL-secured connection. In other words, the cert *has* to
>> be used to secure the channel over which the HTTP request will be
>> made, and only after its been made can the correct server{} block be
>> chosen and the response delivered - even if the response is simply to
>> close the connection.
> If SNI is used, it's in theory possible to close a connection 
> early (during an SSL handshake, after ClientHello but 
> before sending enything).  The following tickets in trac are 
> related:

Thanks for the input, Jonathan and Maxim.

Maxim, when you say, "If SNI is used, it's in theory possible to close a
connection early," do you mean to imply that while possible, this
capability has not yet been implemented in nginx (the tickets are still
open after almost two years)?

Thanks again,


More information about the nginx mailing list