SNI and certs.

Reinis Rozitis r at
Sun Dec 4 16:03:23 UTC 2016

> Create an initial default server for failover on the ip address, and have it 400 everything.  Do it for http and https.   For https you can use a self-signed cert; it doesn't matter as you only need to be a valid protocol.
>     # failover http server
>    # failover https server

You don't even need two server blocks single is enough:

server {
	listen 80 default_server;
	listen 443 ssl default_server;

With whatever logic you want - either redirect to your preferred/main domain or show some generic page or error code (if you don't add anything nginx will use the default root and display the welcome page).

In case of https I don't even think it makes sense to provide any certificates (even self-signed). 
Without those the connection will/should be just terminated because of peer not providing any certificates and self-signed certs shouldn't be validated (otherways there is a major flaw) by clients/crawlers either.


More information about the nginx mailing list