Fallback default server sharing cert information about other domains than for the URL you visit ?

koocr at mailc.net koocr at mailc.net
Fri Aug 9 17:27:38 UTC 2019


Hi,

> you can't  expect that they will get the return code.

Okay I guess that makes sense.

Is there any other way to get an attempt to connect to a un-hosted site to get a "nobody home, go away" response?
Something other than the current "there's a problem with the cert" mis-message?

> I might be wrong (needs a clarification from nginx dev/support people) 

No worry.   Hope somebody that's sure will chime in eventually.

> Just for testing purposes (if possible) you could either add the IP to 
> both listen directives or remove the ip part from the full-domain 
> server {} block to see if it changes anything.

Hm.  That doesn't really make sense to me.

This server has multiple IPs.  The hosted server needs to respond on a specific IP, so it needs the specific IP.

The fallback is supposed to work for all "whenever it doesn't match" cases, so it doesn't get an IP, right?

Did I misunderstand your point?

> Other than that depending on the requirements the other options are 
> just to make a matching server block with a valid certificate (with 
> Lets Encrypt it's quite simple and free) or have an *.example.com 
> wildcard SSL so the browsers are satisfied with 


A subdomain wildcard like that assumes that ALL subdomains of example.com are unhosted.  That's not true here. 

There are an infinite number of  possible mismatches.  I can't really set up a "valid cert" for each one.

This is about the fallback.  I thought that's what the fallback is supposed to handle.

Let's see if a 'dev' has some other comments.

Thanks!


More information about the nginx mailing list