Selection of secure virtual servers

Nick Lopez nlopez at gmail.com
Fri Nov 13 21:04:32 UTC 2015 

Try this more explicit configuration for your default SNI server:

server {
  listen 80 default_server;
  listen 443 ssl default_server; #
  server_name _;

  return 444;
}

See here for more info on "server_name _;" and the default_server selector
for the listen directive, including an example similar to your config:
http://nginx.org/en/docs/http/server_names.html

On Fri, Nov 13, 2015 at 9:37 AM, Joó Ádám <adam at jooadam.hu> wrote:

> Hi,
>
> I would like to terminate TLS connections arriving at the default
> server, only serving requests with the correct host header, relying on
> SNI.
>
> The configuration is as follows:
>
>     server {
>         listen 80;
>         listen 443 ssl;
>
>         return 444;
>     }
>
>     server {
>         listen 80;
>         listen 443 ssl;
>
>         server_name example.com;
>
>         ssl_certificate_key private-key;
>         ssl_certificate        certificate;
>     }
>
> The above, however results in all connections failing, including the
> ones to example.com.
>
> nginx -V is:
>
>     nginx version: nginx/1.6.2 (Ubuntu)
>     TLS SNI support enabled
>     configure arguments: --with-cc-opt='-g -O2 -fPIE
> -fstack-protector-strong -Wformat -Werror=format-security
> -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE
> -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx
> --conf-path=/etc/nginx/nginx.conf
> --http-log-path=/var/log/nginx/access.log
> --error-log-path=/var/log/nginx/error.log
> --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid
> --http-client-body-temp-path=/var/lib/nginx/body
> --http-fastcgi-temp-path=/var/lib/nginx/fastcgi
> --http-proxy-temp-path=/var/lib/nginx/proxy
> --http-scgi-temp-path=/var/lib/nginx/scgi
> --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug
> --with-pcre-jit --with-ipv6 --with-http_ssl_module
> --with-http_stub_status_module --with-http_realip_module
> --with-http_auth_request_module --with-http_addition_module
> --with-http_dav_module --with-http_geoip_module
> --with-http_gzip_static_module --with-http_image_filter_module
> --with-http_spdy_module --with-http_sub_module --with-http_xslt_module
> --with-mail --with-mail_ssl_module
>
> Can anyone help with this one?
>
>
> Thanks,
> Ádám
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20151113/80500b1c/attachment.html>

More information about the nginx mailing list