Have Nginx reject unknown server names over HTTPS

I have an Nginx instance using SNI to serve multiple HTTPS domains from a single IP.

The only glitch with the setup is that Nginx responds with the first (acting as default) domain whenever a URL for the bare IP of the server, or a domain listed at that IP for which there is no corresponding HTTPS server block, is requested. In this case I would much prefer to simply return a standard 403 Forbidden -- I would set up a default server block to do this but I can't see a way around client certificate mismatch warnings.

(How c|C)an I configure Nginx to reject requests to such unknown/undefined domains without needing to specify a particular ssl certificate which will upset browsers? (i.e. I need Nginx to reject the request with a 403 prior to upsetting the client with a "bad" cert - from the client's POV this should be identical to the case where no HTTPS server block is defined at all.)


This Question quite similar to the one I answered yesterday: nginx and SNI: is it possible to automatically resolve SSL certificate by domain name

It is not possible to reject the connection before the user sees a bad certificate message in his browser. By the time Nginx might return an HTTP 403 answer, the SSL handshake is over and to complete the handshake the browser must accept the provided certificate. You can only reject the connection after the user accepted the certificate by setting up a default server:

server {
    listen 433 default_server ssl;
    ssl_certificate       common.crt;
    ssl_certificate_key   common.key;
    return 403;
}

However, most recent browsers support Server Name Indication and if you have a certificate set for each vhost, it's quite unlikely for a normal user to see that message.

It might be possible to reject connections without valid hostname indicated by SSL with iptables but that is probably quite tricky and would not be conform to any standards at all.

Updated information: It is possible to return 444 to abort the tcp connection immediately before a certificate error is shown.