We run multiple vhosts in nginx. Occasionally, a vhost will be
mis-configured or disabled (via the website management software that we
use), and public requests for the domain will fall-back to nginx’s
default vhost, which can have very unintended consequences (e.g., an
incorrect and completely unrelated website is displayed).
The nginx documentation suggests doing something like this to combat
this type of problem:
listen *:80 default_server;
listen *:443 default_server ssl;
I’ve placed this snippet at the top of nginx’s “default” vhost
configuration file and it does exactly what I want. But I’m wondering if
this is the “correct” and “best” approach to the problem I describe.
Also, I noticed that this doesn’t seem to work for SSL when an SSL
certificate and key are not specified, with the following appearing in
nginx’s error log:
no “ssl_certificate” is defined in server listening on SSL port while
SSL handshaking, client: 10.0.1.57, server: 0.0.0.0:443
That’s fine; I just want to ensure that the certificate I’ve specified
in order to make this work will never be transmitted nor presented to
the user-agent. When I test this in a web browser, the browser never
seems to display or mention the certificate (no mismatch or anything;
just the 444 response).
However, when I test this with cURL, it does seem to be privy to the
certificate (disregard the fact that the cert verification fails; it’s
$ curl https://10.0.1.50
curl: (60) SSL certificate problem, verify that the CA cert is OK.
More details here: http://curl.haxx.se/docs/sslcerts.html
Is there any way to avoid this certificate being presented, but still
return the 444 response under the conditions I’ve described?
Thanks for any tips here!