Fallback default server sharing cert information about other domains than for the URL you visit ?

koocr at mailc.net koocr at mailc.net
Fri Aug 9 15:54:26 UTC 2019


My own domain, let's say 'example.com', is registered in the HSTS preload database (https://hstspreload.org).

I setup my domain as virtual host in Nginx,


		server {
			server_name example.com www.example.com;
			location / {
				return 301 https://example.com$request_uri;

		server {
			listen ssl http2;
			server_name example.com www.example.com;

			ssl_trusted_certificate   "/etc/ssl/trusted.crt.pem";
			ssl_certificate           "/etc/ssl/chain.crt.pem";
			ssl_certificate_key       "/etc/ssl/privkey.pem";

			add_header Strict-Transport-Security "max-age=315360000; includeSubDomains; preload";

			location / {...}

The cert is good for example.com + www.example.com.

When I go to


it works like you would expect.

I also set up a fallback, default server in my main nginx config


		server {
		    listen 80       default_server;
		    listen [::]:80  ipv6only=on default_server;
		    server_name _;
		    return 301 https://$host;

		server {
		    listen 443      ssl http2 default_server;
		    listen [::]:443 ssl http2 ipv6only=on default_server;
		    server_name _;

			ssl_trusted_certificate   "/etc/ssl/trusted.crt.pem";
			ssl_certificate           "/etc/ssl/null.crt.pem";
			ssl_certificate_key       "/etc/ssl/nullkey.pem";

		    return 444;
		include sites-enabled/*.conf;

If I go to a subdomain of my domain that has a DNS A-record pointing to the same IP, but no Nginx virtual hosted site,


in the browser I get this message

	Did Not Connect: Potential Security Issue
	 Firefox detected a potential security threat and did not continue to subdomain.example.com because this website requires a secure connection.
	 What can you do about it?
	 subdomain.example.com has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site.
	 The issue is most likely with the website, and there is nothing you can do to resolve it. You can notify the website’s administrator about the problem.
	 Learn more…

		Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for subdomain.example.com. The certificate is only valid for the following names: example.com, www.example.com
		View Certificate

I expect it to fail with a 444, and only have info about the failed subdomain.

Why does it respond with cert info about the "example.com, www.example.com
" certs at all?  Those are only for the full-domain site.

What do I need to set up to just get a fallback 444 response and NO information about any other domain's certs etc, when I visit the un-hosted subdomain.example.com?

More information about the nginx mailing list