Last active
June 28, 2021 07:30
-
-
Save Tugzrida/63f4c6be2d075a0f97932b24d4552165 to your computer and use it in GitHub Desktop.
Drop connections to nginx which don't match any server block
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server { | |
| listen 80 default_server; | |
| listen [::]:80 default_server; | |
| listen 443 ssl default_server; | |
| listen [::]:443 ssl default_server; | |
| ## For nginx >= 1.19.4: | |
| ## If also using openssl >= 1.1.1j, the certificate directives can be removed. | |
| ## Even if present, the cert is never sent, it's just a workaround for an openssl bug. | |
| #ssl_reject_handshake on; | |
| #ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; # Generated by ssl-cert package | |
| #ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; # Generated by ssl-cert package | |
| #ssl_stapling off; | |
| ## For nginx < 1.19.4: | |
| ## Due to the limitations of this version, the cert will be sent to a client when using TLS1.3. | |
| ## The only other option would be to disable TLS1.3 for the whole nginx instance, which would be silly. | |
| ## The connection will still be dropped after the TLS handshake. | |
| #ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; # Generated by ssl-cert package | |
| #ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; # Generated by ssl-cert package | |
| #ssl_stapling off; | |
| #ssl_ciphers aNULL; | |
| return 444; | |
| error_page 400 =444 /; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment