Home / , / Drop clients which do not indicate server names

Drop clients which do not indicate server names

631 views Less than a minute

Sometimes we want to drop clients which do not send valid server_names but probe our Nginx IPs. Using Server Name Indication (SNI) for our virtual hosts we want to drop all clients which do not specify one of them. Typically these clients attempt to walk our IPs for well-known web applications. Let’s call our intercepting server /etc/nginx/sites-available/_default_drop.

server {
        listen 10.0.0.1:80;
        listen [2a02:beef:fa:1000::1]:80;
        server_name "";
        return      444;
}

server {
        listen 10.0.0.1:443;
        listen [2a02:beef:fa:1000::1]:443 ssl;
        server_name "";

        ssl on;
        ssl_certificate /etc/ssl/certs/drop_example_com.pem;
        ssl_certificate_key /etc/ssl/private/drop_example_com.key;
        return      444;
}

About tlx@leuxner.net

Nothing travels faster than the speed of light with the possible exception of bad news, which obeys its own special laws.
View all posts by tlx@leuxner.net