By default nginx serves https requests with multiple certificates by using SNI. The fallback for clients not supporting SNI will be the default_server or first vhost which has been configured.
I want nginx to not serve clients which don't support SNI.
For instance, if I check a site with the ssl test on ssllabs.com, the certificate sent by SNI will be shown, but also the fallback certificate without SNI support will be shown.
I'm in search of something like strict-sni in HAProxy.
I'm not using nginx+.
Best Answer
Did you try to create a
server
block with the IP address asserver_name
usingssl_reject_handshake on
from nginx version 1.19.4 and above?This should prevent answers the the IP without SNI.