server

How to disable direct access to a web site by ip address

· John Doe

314 Views

Neither of above helped in my case - IP connection to http works as expected but https was redirecting to alphabetically first https virtual site. What was working witn nginx below 1.19.4 was to add null certificate to block:

server {
  listen 80 default_server;
  listen [::]:80 default_server;
  listen 443 default_server;
  listen [::]:443 default_server;

  ssl_certificate /etc/ssl/null.crt;
  ssl_certificate_key /etc/ssl/null.key;

  server_name "";
  return 444;
}

 

Certificte can be generated with empty CN so you need no worry about fill it.

sudo openssl req -x509 -newkey rsa:2048 -days 10000 -nodes  -subj "/C=US/ST=Florida/L=XXXXX/O=Foo Inc./OU=IT/CN=X" -keyout null.key -out null.crt

 

Then http/https returns 444 (ERR_EMPTY_RESPONSE), in different configurations https returns ERR_HTTP2_PROTOCOL_ERROR with your null certificate which is also fine to show there is nothing there.

For nginx 1.19.4 it is simpler. It introduced ssl_reject_handshake on | off (http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake) you can replace certificates 'stuff' with:

server {
  listen 80 default_server;
  listen [::]:80 default_server;
  listen 443 default_server;
  listen [::]:443 default_server;

  ssl_reject_handshake on;

  server_name "";
  return 444;
}

 

And now you get http 444 (ERR_EMPTY_RESPONSE) and for https ERR_SSL_UNRECOGNIZED_NAME_ALERT. No null certificates are needed.

 

Ref.

I have a website on a VPS. The issue I am having is that when I enter the IP of the server, it links to the website. Even when entering mail.domain.com, it does the same thing. How do I disable t...
I am trying to create a new private key and CSR file for a colleague with some provided details: C = US S = Florida L = XXXXX O ...

nginx ssl