Nginx – Is it possible to disable clients not supporting SNI in nginx

nginxsni

By default nginx serves https requests with multiple certificates by using SNI. The fallback for clients not supporting SNI will be the default_server or first vhost which has been configured.

I want nginx to not serve clients which don't support SNI.

For instance, if I check a site with the ssl test on ssllabs.com, the certificate sent by SNI will be shown, but also the fallback certificate without SNI support will be shown.

I'm in search of something like strict-sni in HAProxy.

I'm not using nginx+.

Best Answer

Did you try to create a server block with the IP address as server_name using ssl_reject_handshake on from nginx version 1.19.4 and above?
This should prevent answers the the IP without SNI.

Related Solutions

Nginx, multiple domains, ssl support for clients without SNI

That is one way to solve it, but if it's a good way can be up for discussion. A lot of limited networks can only access port 80 and 443, making it impossible for those users to reach your content.

The way to solve it would be to have multiple IP addresses and have one certificate on each.

Another solution would be to use UCC SSL Certificate. I don't know how many domains you want to secure and if you often make changes to that, but Comodo offers those.

Nginx – How to define which SSL certificate nginx sends first with SNI

The default_server setting of the listen directive should determine which certificate is sent for a request without SNI set in the handshake. Change the listen directive of the desired default:

listen 443 default_server ssl;

Best Answer

Related Solutions

Nginx, multiple domains, ssl support for clients without SNI

Nginx – How to define which SSL certificate nginx sends first with SNI

Related Topic