diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index 6332085..bdcd016 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -37,6 +37,11 @@
   when: nginx_tls_vhosts is defined
   tags: nginx
 
+- name: Configure blank nginx vhost
+  template: src=blank-vhost.conf.j2 dest={{ nginx_confd_path }}/blank-vhost.conf  mode=0644 owner=root group=root
+  notify:
+    - reload nginx
+
 - name: Configure munin vhost
   copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root
   notify:
diff --git a/roles/nginx/tasks/tls_vhosts.yml b/roles/nginx/tasks/tls_vhosts.yml
index 68722e5..a13e0d0 100644
--- a/roles/nginx/tasks/tls_vhosts.yml
+++ b/roles/nginx/tasks/tls_vhosts.yml
@@ -15,9 +15,11 @@
   notify:
     - reload nginx
 
-#- name: Generate self-signed TLS cert
-#  command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=KE/ST=Nairobi/L=Nairobi/O=/CN={{ item.nginx_domain_name }}" -newkey rsa:2048 -keyout {{ item.nginx_domain_name }}.key -out {{ item.nginx_domain_name }}.crt -extensions v3_ca creates={{ tls_key_dir }}/{{ item.nginx_domain_name }}.crt.pem
-#
+- name: Generate self-signed TLS cert
+  command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
+  notify:
+    - reload nginx
+
 - name: Generate 2048-bit dhparam
   command: openssl dhparam -out dhparam.pem 2048 chdir=/etc/ssl/certs creates=dhparam.pem
   notify:
diff --git a/roles/nginx/templates/blank-vhost.conf.j2 b/roles/nginx/templates/blank-vhost.conf.j2
new file mode 100644
index 0000000..fc6848d
--- /dev/null
+++ b/roles/nginx/templates/blank-vhost.conf.j2
@@ -0,0 +1,36 @@
+# default blank vhost
+#
+# clients asking for "example.com" should only get a response if we have
+# a vhost serving that domain.
+server {
+    listen 80 default;
+    {% if nginx_tls_vhosts is defined %}
+    listen 443 ssl spdy default;
+    {% endif %}
+    server_name _;
+
+    {% if nginx_tls_vhosts is defined %}
+    # "snakeoil" certificate (self signed!)
+    ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
+    ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;
+
+    ssl_session_timeout {{ nginx_ssl_session_timeout }};
+    ssl_session_cache {{ nginx_ssl_session_cache }};
+    ssl_buffer_size {{ nginx_ssl_buffer_size }};
+    ssl_dhparam {{ nginx_ssl_dhparam }};
+    ssl_protocols {{ nginx_ssl_protocols }};
+    ssl_ciphers "{{ tls_cipher_suite }}";
+    ssl_prefer_server_ciphers on;
+
+    # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
+    # when a restart is performed the previous key is lost, which resets all previous
+    # sessions. The fix for this is to setup a manual rotation mechanism:
+    # http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
+    #
+    # Note that you'll have to define and rotate the keys securely by yourself. In absence
+    # of such infrastructure, consider turning off session tickets:
+    ssl_session_tickets off;
+    {% endif %}
+
+    return 403;
+}