Nginx – Why Nginx calls for invalid certificate in non-existent subdomains just to redirect to 404

configurationhttp-status-code-404httpsnginxssl

Have two server blocks.
default_server block inside http block of nginx.conf:

server {
   server_name _;
   listen 80 default_server;
   listen [::]:80 default_server ipv6only=on;
   listen 443 default_server;
   return 404;
}
include /etc/nginx/sites-enabled/*;

A working domain/website block inside sites-enabled:

server {
  listen 80;
  listen 443;
  server_name example.com;
  return 301 https://www.$server_name$request_uri;
}

server {
  listen 80;
  listen 443 ssl;
  root /var/www/example.com/htdocs/;
  index index.html index.htm;

  server_name www.example.com;
}

(I have this setup to redirect all non-www to www and all http to https)

I have a cert for both non-www and www for my domain. Nginx for some reason is calling any subdomain instead of giving default website cannot be found/ERR_CONNECTION_RESET/ error.
For example if I go to https://asdf.example.com/ Nginx calls it and browser tells you it's insecure SSL cert, then you accept it anyway and get a 404 page.
How do I jump to 404 page skipping the invalid cert message or how do I jump straight to 'page not found' and not the 404? E.g. like go to https://asdf.serverfault.com it doesn't give a 404, it gives a ERR_CONNECTION_RESET/. I want that for all non-existent subdomains and domains on my server.

update: Could it be that all my ssl_certificate lines are added to main http block too? If so, still doesn't solve calling for ERR_CONNECTION_RESET and not 404 like given example on 6..

Best Answer

If you open https://asdf.example.com directly then browser will resolve asdf.example.com to an IP address and then connect to it using HTTPS protocol. If server (with retrieved IP) is listening on 443 port and returns no certificate for this domain, or an invalid one than browser will warn you about insecure protocol before finishing up the request (e.g. displaying 404 error).

https://asdf.serverfault.com gives an connection error because this subdomain is not registered, it has no IP address. That's why you see this error. If you want to make sure asdf.example.com returns an connection error instead of ssl warning then make sure that this subdomain is not registered and there is no wildcard (*) record for example.com.

Related Solutions

Nginx – How to force or redirect to SSL in nginx

According to nginx pitfalls, it's slightly better to omit the unnecessary capture, using $request_uri instead. In that case, append a question mark to prevent nginx from doubling any query args.

server {
    listen      80;
    server_name signup.mysite.com;
    rewrite     ^   https://$server_name$request_uri? permanent;
}

Nginx – Properly setting up a “default” nginx server for https

I managed to configure a shared dedicated hosting on a single IP with nginx. Default HTTP and HTTPS serving a 404 for unknown domains incoming.

1 - Create a default zone

As nginx is loading vhosts in ascii order, you should create a 00-default file/symbolic link into your /etc/nginx/sites-enabled.

2 - Fill the default zone

Fill your 00-default with default vhosts. Here is the zone i am using:

server {
    server_name _;
    listen       80  default_server;
    return       404;
}


server {
    listen 443 ssl;
    server_name _;
    ssl_certificate /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;
    return       404;
}

3 - Create self signed certif, test, and reload

You will need to create a self signed certificate into /etc/nginx/ssl/nginx.crt.

Create a default self signed certificate:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

Just a reminder:

Test the nginx configuration before reloading/restarting : nginx -t
Reload a enjoy: sudo service nginx reload

Hope it helps.

Best Answer

Related Solutions

Nginx – How to force or redirect to SSL in nginx

Nginx – Properly setting up a “default” nginx server for https

Related Topic