Properly setting up a "default" nginx server for https

nginx https ssl

I have several servers running on the same machine, some with http only, some with both http and https. There are several server blocks defined in separate files which are included from the main config file.

I have set up a "default" server for http which will serve a generic "maintenance page" to requests that don't match any of the other server_names in the other config files. The http default server works as expected, it uses the server_name "_" and it appears first in the list of includes (because I have observed that in the case of duplicate server_names across servers, the one appearing first is used). This works great.

I would expect the same exact server block (only switching "listen 80 default_server" to "listen 443 default_server" and also instead of serving page "return 444") however it does not. Instead, it appears that the new default https server is actually grabbing all incoming https connections and causing them to fail, although the other server blocks have more appropriate server_names for the incoming requests. Removing the new default https server will cause semi-correct behavior to resume: the websites with https will all load correctly; but the websites without https will all be routed to the first https server in the include files (which according to the docs, if no "default_server" appears, then the first server block to appear will be "default").

So my question is, what is the correct way to define a "default server" in nginx for ssl connections? Why is it that when I explicitly set a "default_server" it gets greedy and grabs all connections whereas when I implicitly let nginx decide the "default server" it works like I would expect (with the incorrect server set as default and the other real servers behaving correctly)?

Here are my "default servers". Http works without breaking other servers. Https breaks other servers and consumes all.

server {
    listen 443 ssl default_server;
    server_name _;

    access_log /var/log/nginx/maintenance.access.log;
    error_log /var/log/nginx/maintenance.error.log error;

    return 444;
}

server {
    listen *:80 default_server;
    server_name _;
    charset utf-8;

    access_log /var/log/nginx/maintenance.access.log;
    error_log /var/log/nginx/maintenance.error.log error;

    root /home/path/to/templates;

    location / {
        return 503;
    }

    error_page 503 @maintenance;

    location @maintenance {
        rewrite ^(.*)$ /maintenance.html break;
    }
}

Any of you see what might be wrong here?


I managed to configure a shared dedicated hosting on a single IP with nginx. Default HTTP and HTTPS serving a 404 for unknown domains incoming.

1 - Create a default zone

As nginx is loading vhosts in ascii order, you should create a 00-default file/symbolic link into your /etc/nginx/sites-enabled.

2 - Fill the default zone

Fill your 00-default with default vhosts. Here is the zone i am using:

server {
    server_name _;
    listen       80  default_server;
    return       404;
}


server {
    listen 443 ssl;
    server_name _;
    ssl_certificate /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;
    return       404;
}

3 - Create self signed certif, test, and reload

You will need to create a self signed certificate into /etc/nginx/ssl/nginx.crt.

Create a default self signed certificate: 

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

Just a reminder:

  • Test the nginx configuration before reloading/restarting : nginx -t
  • Reload a enjoy: sudo service nginx reload

Hope it helps.


You do not have any ssl_certificate or ssl_certificate_key defined in your "default" https block. Although you do not have or want a real key for this default scenario, you still need to configure one or else nginx will have the undesired behaviour that you describe.

Create a self-signed certificate with a Common Name of * and plug it into your config and it will start to work as you want.

The "default" behaviour under this set up would be that a browser would get a warning that the certificate can not be trusted, if the user adds the certificate as an exception, the connection will be dropped by nginx and they will see their browser's default "could not connect" error message.

Related

How to configure postfix to pipe all incoming email to a script?
Exchange server replacement that runs on Linux
How do I find if there is a rogue DHCP server on my Network?
Is Round-Robin DNS "good enough" for load balancing static content?
Can anyone recommend a website monitoring service? [closed]
How can I connect to a Windows server using a Command Line Interface? (CLI)
Why should I firewall servers?
Apache accepting requests to other servers?
Agreement after disjunctive compound subject_"My brother or one of my sisters" — singular or plural?
Why do we say "It's time we ate" and not "It's time we eat"?
"pros and cons", "black and white", "ups and downs". Always in a fixed sequence, is there a word or phrase for these?
When is "L" doubled?