<div dir="ltr"><div>Try this more explicit configuration for your default SNI server:</div><div><br></div><div><span style="color:rgb(0,0,0);font-size:12.8px">server {</span><br style="color:rgb(0,0,0);font-size:12.8px"><span style="color:rgb(0,0,0);font-size:12.8px">  listen 80 default_server;</span><br style="color:rgb(0,0,0);font-size:12.8px"><span style="color:rgb(0,0,0);font-size:12.8px">  listen 443 ssl default_server; # </span></div><div><span style="color:rgb(0,0,0);font-size:12.8px">  server_name _; </span></div><div>      <br style="color:rgb(0,0,0);font-size:12.8px"><span style="color:rgb(0,0,0);font-size:12.8px">  return 444;</span><br style="color:rgb(0,0,0);font-size:12.8px"><span style="color:rgb(0,0,0);font-size:12.8px">}</span><br></div><div><span style="color:rgb(0,0,0);font-size:12.8px"><br></span></div><div><span style="color:rgb(0,0,0);font-size:12.8px">See here for more info on "server_name _;" and the default_server selector for the listen directive, including an example similar to your config: </span><span style="color:rgb(0,0,0);font-size:12.8px"><a href="http://nginx.org/en/docs/http/server_names.html">http://nginx.org/en/docs/http/server_names.html</a></span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Nov 13, 2015 at 9:37 AM, Joó Ádám <span dir="ltr"><<a href="mailto:adam@jooadam.hu" target="_blank">adam@jooadam.hu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
I would like to terminate TLS connections arriving at the default<br>
server, only serving requests with the correct host header, relying on<br>
SNI.<br>
<br>
The configuration is as follows:<br>
<br>
    server {<br>
        listen 80;<br>
        listen 443 ssl;<br>
<br>
        return 444;<br>
    }<br>
<br>
    server {<br>
        listen 80;<br>
        listen 443 ssl;<br>
<br>
        server_name <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a>;<br>
<br>
        ssl_certificate_key private-key;<br>
        ssl_certificate        certificate;<br>
    }<br>
<br>
The above, however results in all connections failing, including the<br>
ones to <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a>.<br>
<br>
nginx -V is:<br>
<br>
    nginx version: nginx/1.6.2 (Ubuntu)<br>
    TLS SNI support enabled<br>
    configure arguments: --with-cc-opt='-g -O2 -fPIE<br>
-fstack-protector-strong -Wformat -Werror=format-security<br>
-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE<br>
-pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx<br>
--conf-path=/etc/nginx/nginx.conf<br>
--http-log-path=/var/log/nginx/access.log<br>
--error-log-path=/var/log/nginx/error.log<br>
--lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid<br>
--http-client-body-temp-path=/var/lib/nginx/body<br>
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi<br>
--http-proxy-temp-path=/var/lib/nginx/proxy<br>
--http-scgi-temp-path=/var/lib/nginx/scgi<br>
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug<br>
--with-pcre-jit --with-ipv6 --with-http_ssl_module<br>
--with-http_stub_status_module --with-http_realip_module<br>
--with-http_auth_request_module --with-http_addition_module<br>
--with-http_dav_module --with-http_geoip_module<br>
--with-http_gzip_static_module --with-http_image_filter_module<br>
--with-http_spdy_module --with-http_sub_module --with-http_xslt_module<br>
--with-mail --with-mail_ssl_module<br>
<br>
Can anyone help with this one?<br>
<br>
<br>
Thanks,<br>
Ádám<br>
<br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a></blockquote></div><br></div>