Nginx set default catch all server

[Joveice]

Hello,

 

I tried to create a catch all server and return 444 on it so it didn't respond on random.mydomain.com with the page of www.mydomain.com. But by adding this which people suggested it catches ALL, nothing gets around it.

 

server {
  listen 80 default_server;
  listen 443 ssl default_server;
  listen [::]:80 default_server;
  listen [::]:443 ssl default_server;

  server_name _;
  return 444;
}
#here are the includes for the .conf files

Also, this starts pushing errors saying that the SSL is configured wrong when connecting to www.mydomain.com on https. How do I fix it so that it responds with the correct site for the correct domain, rest gets terminated? Including https attempts.

[KirbyTech]

Is this in the /etc/nginx/sites-available/default file? If not then have you checked /etc/nginx/sites-enabled to see if the symbolic link is there? You can change I believe it is /etc/nginx/nginx.conf where the line is something like /etc/nginx/sites-enabled change that line to /etc/nginx/sites-available and you will be good to go, saves creating the symbolic links each time you need to do anything.

[Joveice]

2 minutes ago, KirbyTech said:

Is this in the /etc/nginx/sites-available/default file? If not then have you checked /etc/nginx/sites-enabled to see if the symbolic link is there? You can change I believe it is /etc/nginx/nginx.conf where the line is something like /etc/nginx/sites-enabled change that line to /etc/nginx/sites-available and you will be good to go, saves creating the symbolic links each time you need to do anything.

No, it was in the nginx.conf. I like the idea with symlinks as I can just delete the file in enabled and refresh nginx and the site is no longer published, and without deleting the conf file

[KirbyTech]

15 minutes ago, Joveice said:

No, it was in the nginx.conf. I like the idea with symlinks as I can just delete the file in enabled and refresh nginx and the site is no longer published, and without deleting the conf file

I have used Nginx lots before and never seen a server block inside nginx.conf  Are you sure that is where your server block is? Should be in one of the sites available 

 

As for the links, each to their own. I like my way since I just use my users ~ to put the files I don't need anymore in. I find it much quicker to work with than the links.

[Joveice]

2 minutes ago, KirbyTech said:

I have used Nginx lots before and never seen a server block inside nginx.conf  Are you sure that is where your server block is? Should be in one of the sites available 

 

As for the links, each to their own. I like my way since I just use my users ~ to put the files I don't need anymore in. I find it much quicker to work with than the links.

All guides I found said to put it before the include part, as I don't know I just followed what all the guides said.

[KirbyTech]

1 minute ago, Joveice said:

All guides I found said to put it before the include part, as I don't know I just followed what all the guides said.

This guide should help you a bit.

 

https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-server-blocks-virtual-hosts-on-ubuntu-16-04

[Joveice]

On 06/03/2018 at 3:39 PM, KirbyTech said:

This guide should help you a bit.

 

https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-server-blocks-virtual-hosts-on-ubuntu-16-04

Not really, I only need to get the catch all to work.

 

So I added this to the default.conf

server {
    listen 80 default_server;
    listen 443 ssl http2 default_server;
    return 444;
}

Now when I try my IP I get redirected to my SSL site, get a warning that the SSL may not be secure. In the url I'm visiting at https://serverip/ which I have no conf file to match other than the default_server in the new file.

[KirbyTech]

21 hours ago, Joveice said:

Not really, I only need to get the catch all to work.

 

So I added this to the default.conf

server {
    listen 80 default_server;
    listen 443 ssl http2 default_server;
    return 444;
}

Now when I try my IP I get redirected to my SSL site, get a warning that the SSL may not be secure. In the url I'm visiting at https://serverip/ which I have no conf file to match other than the default_server in the new file.

Okay I am more confused now than before, the only file that should matter right now is /etc/nginx/sites-enabled/default  FAIK  there is no default.conf file unless they changed it in the past week or you are referencing a file in a completely different directory. If your file is not the one I said above, please post the url path and either way show us the whole file.

 

As for SSL certs, you need to run something like certnot with letscrypt or go but a SSL cert. Just using HTTPS doesn't make the site secure. 

[Joveice]

7 minutes ago, KirbyTech said:

Okay I am more confused now than before, the only file that should matter right now is /etc/nginx/sites-enabled/default  FAIK  there is no default.conf file unless they changed it in the past week or you are referencing a file in a completely different directory. If your file is not the one I said above, please post the url path and either way show us the whole file.

 

As for SSL certs, you need to run something like certnot with letscrypt or go but a SSL cert. Just using HTTPS doesn't make the site secure. 

It doesn't need to be secure to return a 444... I'll get the files for you.

[KirbyTech]

5 hours ago, Joveice said:

It doesn't need to be secure to return a 444... I'll get the files for you.

Okay I missed the 444 part. And those files will tell way more than you are. 

 

So you want to return a status code 444 when a user hits any subdomain that you currently don't have? 

[Joveice]

17 minutes ago, KirbyTech said:

Okay I missed the 444 part. And those files will tell way more than you are. 

 

So you want to return a status code 444 when a user hits any subdomain that you currently don't have? 

default.conf

(I tried both with server_name _; and without, same result)

 

server {
    listen 80 default_server;
    listen 443 default_server;
    listen [::]:80 default_server;
    lsiten [::]:443 default_server;
    server_name _;
    return 444;
}

a website

server {
  listen 80;
  server_name website.mydomain.com;
  location /.well-known/acme-challenge {
    default_type "text/plain";
    root /path/to/certbot/stuff;
  }
  #Forces all other requests to HTTPS
  location / {
     return 301 https://$host$request_uri;
  }
}
server {
  listen 443 ssl http2;
  server_name website.mydomain.com;
  #### quite a lot of ssl stuff ####
  ####                          ####
  #### ######################## ####
  root /path/to/root;
  index index.html index.php;

  location / {
    try_files $uri $uri/ $uri.html @rewrite;
  }


  location @rewrite {
    rewrite ^ $uri.php last;
    try_files $uri =404;
  }
  location ~ \.php$ {
    fastcgi_split_path_info ^(.+?\.php)(/.+)$;
    fastcgi_pass unix:/run/php/php7.2-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
    include fastcgi.conf;
    try_files $uri =404;
  }
}

nginx.conf, everything is default. But this is the only part that had to do with this.

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;

conf.d is empty, no files.

 

everything gets sendt to the .conf of website.mydomain.com

 

EDIT:

Yes, the last part you said is correct, that is what I want.

[KirbyTech]

server {
    listen      80;
    server_name "";
    return      444;
}

I think what you are missing is the server name needs to be "" not _ far as I can tell that is the only thing you have wrong. Try that and report back, I will look and see what else is out there. I typed that by memory though so google should yield some results.

[Joveice]

1 hour ago, KirbyTech said:

server {
    listen      80;
    server_name "";
    return      444;
}

I think what you are missing is the server name needs to be "" not _ far as I can tell that is the only thing you have wrong. Try that and report back, I will look and see what else is out there. I typed that by memory though so google should yield some results.

Doesn't matter

Quote

In catch-all server examples the strange name “_” can be seen:

server {
    listen       80  default_server;
    server_name  _;
    return       444;
}

There is nothing special about this name, it is just one of a myriad of invalid domain names which never intersect with any real name. Other invalid names like “--” and “!@#” may equally be used.

 

[Joveice]

Okey, for some reason the file works now, but as last, it's still catching everything...

[KirbyTech]

22 hours ago, Joveice said:

Okey, for some reason the file works now, but as last, it's still catching everything...

Please post the config file for anyone who happens to search and find this thread. Add it to the OP if you could, others will thank you.

[Joveice]

22 minutes ago, KirbyTech said:

Please post the config file for anyone who happens to search and find this thread. Add it to the OP if you could, others will thank you.

The config files are here...

 

I might have solved it. Needed to add certificate and certificate key to catch 443 as you can't see the domain it's asking for before the ssl is decrypted. So until now it looks like it works.