alanorth
/
ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity

Add a default, blank SSL vhost #17

New Issue
Closed
opened 2015-05-24 09:59:25 +02:00 by alanorth · 2 comments
alanorth commented 2015-05-24 09:59:25 +02:00 (Migrated from github.com)
Copy Link

When a client doesn't support SNI they shouldn't get a response for a host they're probably not expecting. There are instructions and rationale here for setting up a default, blank SSL vhost.

When a client doesn't support SNI they shouldn't get a response for a host they're probably not expecting. There are instructions and rationale [here](https://calomel.org/nginx.html) for setting up a default, blank SSL vhost.
alanorth commented 2015-06-01 20:30:21 +02:00 (Migrated from github.com)
Copy Link

Need to set a default, catch-all vhost for HTTP and HTTPS:

    # default blank SSL server (hosts with no SNI shouldn't get something they
    # haven't asked for).
    server {
        listen              80 default;
        listen              443 ssl spdy default;
        server_name         _;

        ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
        ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        ssl_prefer_server_ciphers on;

        return              403;
    }

Requests for hosts without a matching vhost definition will get 403 forbidden.

Need to set a default, catch-all vhost for HTTP _and_ HTTPS: ``` # default blank SSL server (hosts with no SNI shouldn't get something they # haven't asked for). server { listen 80 default; listen 443 ssl spdy default; server_name _; ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt; ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_prefer_server_ciphers on; return 403; } ``` Requests for hosts without a matching vhost definition will get 403 forbidden.
alanorth commented 2015-06-05 23:10:47 +02:00 (Migrated from github.com)
Copy Link

Added in 151fb29687. Ended up doing a bit more for SSL in the blank vhost, like turning off SSL session tickets, as this was causing errors with self-signed certs.

Added in 151fb29687baae4eb7552b6802e98c9d3287d324. Ended up doing a bit more for SSL in the blank vhost, like turning off SSL session tickets, as this was causing errors with self-signed certs.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
alpine
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: alanorth/ansible-personal#17
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?