SNI and certs.
r at roze.lv
Sun Dec 4 16:03:23 UTC 2016
> Create an initial default server for failover on the ip address, and have it 400 everything. Do it for http and https. For https you can use a self-signed cert; it doesn't matter as you only need to be a valid protocol.
> # failover http server
> # failover https server
You don't even need two server blocks single is enough:
listen 80 default_server;
listen 443 ssl default_server;
With whatever logic you want - either redirect to your preferred/main domain or show some generic page or error code (if you don't add anything nginx will use the default root and display the welcome page).
In case of https I don't even think it makes sense to provide any certificates (even self-signed).
Without those the connection will/should be just terminated because of peer not providing any certificates and self-signed certs shouldn't be validated (otherways there is a major flaw) by clients/crawlers either.
More information about the nginx