How to hide "Alterative names" SSL certificates (in SSLlabs test)?

Solution 1:

If your server is contacted with an older https protocol (without SNI), or even by using its IP address instead of a domain name, Nginx will choose the default server block and use whichever certificate is associated with it.

The test results you are seeing are simply identifying which server block is the default.

You can choose which certificate Nginx should use in these cases, by marking one of your server blocks (which listen for https connections) with the default_server attribute.

For example:

server {
    listen 443 ssl default_server;
    ssl_certificate     ...;
    ssl_certificate_key ...;
    ...
}

You can even choose to reject these connections with a return 444; statement, but you will still need a valid certificate to negotiate the connection in the first place.

See the documentation on default servers and HTTPS servers.