How to deny access with NGINX to all non-existent domains of the third level of the website through SSL (port 443)?

Greetings to all.
First, I will say that the manual is read, the search engines solution was looking at the working draft naeksperimentirovalis, but to do what was required could not, so asking for help from the community.

So, the task like trivial, to deny access with NGINX to all non-existing third level domains at the website site2.ru SSL (on port 80, the ban is at the moment). Ie is now the browser of a non-existent name, e.g., t.site2.ru nothing shows because the ssl certificate is only valid for the main domain, but the search engine gets the content site2.ru and should get a 403 response code.

In Internet the absolute most of the decisions for the 80 port, but it seems like the 443 the same thing, in the end the decision boils down to this, it is necessary in the NGINX configuration file add the entry:

server {
listen 443 default_server;
server_name _;
access_log /dev/null;
error_log /dev/null;
return 403;
}


But if any add I can no longer open and the main domain (in the example below it site2.ru)!

In the end, my file appears in abbreviated form as follows:

http {

server {
listen 80 default;
server_name site1.ru www.site1.ru;
error_log /dev/null;
access_log /dev/null;
return 444;
}

server {
listen 80;
server_name site2.ru www.site2.ru;
return 301 https://$host$request_uri;
}

############## if you add that suggest the Internet ##############

server {
listen 443 default_server;
server_name _;
access_log /dev/null;
error_log /dev/null;
return 403;
}

########################################################

server {
listen 443 ssl http2;
server_name site2.ru www.site2.ru;
...
}

}


How to solve the problem and deny access with NGINX to all non-existing third level domains at the website site2.ru for SSL (port 443)?
June 14th 19 at 20:38
2 answers
June 14th 19 at 20:40
Solution
Everything is quite simple.
https://nginx.ru/ru/docs/http/request_processing.html
Here is painted as Nginx handles requests. Now immediately it is clear what You broke, because if a subdomain is not configured addresses on port 80, then simply, you can configure the default virtual host and it for example you can redirect to the primary or to deny access, Yes, actually like. But if the case is on 443 for ssl, then the connection has held the required certificate, which does not exist for each subdomain You have. Out several.
1. Here in this configuration to add a configuration with the self-subscription certificate, the drawback is that if you go man he will see that the site is not safe and God knows what they might think about the main domain), if he is not educated enough to understand why it shows this message and take You to a swindler.
server {
listen 443 default_server;
server_name _;
access_log /dev/null;
error_log /dev/null;
return 403;
}

Question, why send the logs to the zeros??? Not easier to turn them off, what kind of wildness)

2. To purchase a certificate which immediately protects itself and the domain and all its subdomains and tie it there, in this case everything will be as smooth as in the case of port 80, unless of course someone doesn't decide to burst at the third level domains)))

3. In DNS to send to the server only the domains and subdomains which really is, in this case, all the rest will seem like this.59d221dc7703c988268112.png

Read more documentation)
Thank you, Vladimir, for your quick response.

If I understand you correctly, then no certificate (self-subscription or purchase) on the NGINX level it is impossible to give a 403 response (or a 404 or 444)?

With DNS me, the decision basically satisfied, another thing I would like to understand you can still give in this case the 403 response or do nothing without a certificate?

About the "/dev/null", copied from the example from some site, I have in this config, I don't know how true this is, is now listed as:
access_log off;
error_log /dev/null error; - Erich83 commented on June 14th 19 at 20:43
,
If I understand you correctly, then no certificate (self-subscription or purchase) on the NGINX level it is impossible to give a 403 response (or a 404 or 444)?
configuring ssl the connection does not succeed and the client will receive this window
this window
59d231594f97b411570624.png
With DNS me, the decision basically satisfied, another thing I would like to understand you can still give in this case the 403 response or do nothing without a certificate?
Certificate is required, at least some.
About the "/dev/null", copied from the example from some site, I have in this config, I don't know how true this is, is now listed as:
access_log off;
error_log /dev/null error;
From Nginx decent documentation in the Russian language, to read haveinstalled on the left sites usually more expensive. In the second case too put off.
https://nginx.ru/ru/docs/http/ngx_http_log_module....
https://nginx.ru/ru/docs/ngx_core_module.html#error_log - keara_Mosciski commented on June 14th 19 at 20:46
thank you very much for the detailed answers.
And last, do I understand correctly that for the same reason that there is no certificate, fails to forward the request from the third level to the first level, for example?

server {
listen 443;
server_name *.site2.ru;
return 301 https://$host$request_uri;
} - Erich83 commented on June 14th 19 at 20:49
in this case this virtual host will be used if someone will type this line in the browser.
http://random.site2.ru:443
Instead of random you can specify anything. Try dialing and You redirected) You do not correctly configure virtual hosts, read the documentation.
https://nginx.ru/ru/docs/http/configuring_https_se...
This virtual host is https, it only handles http requests), but on port 443.

Just realized if You have this ip on port 443 is already configured for ssl you do not redirected and misleading
59d237c8337c0540808283.png - keara_Mosciski commented on June 14th 19 at 20:52
Yes You are right I see "400 Bad Request".
And about the redirect still did not understand. Let's say I'm going to give a listen 443 ssl http2; (I so spelled out for the main domain), then call forwarding will work without any certificates?

server {
listen 443 ssl http2;
server_name *.site2.ru;
return 301 https://$host$request_uri;
} - Erich83 commented on June 14th 19 at 20:55
,
the forwarding will work without any certificates?
Certificate of course necessary, as without it? - keara_Mosciski commented on June 14th 19 at 20:58
June 14th 19 at 20:42
If the https request has already come to the server, the server must have a valid certificate, otherwise the browser will display a warning about invalid certificate.

Option 1: score on the invalid certificate anyway, to give 403.

Option 2: get a wildcard certificate *.site2.ru

Option 3: in the NS records of a domain to explicitly specify all subdomains. On a non-existent subdomain, the browser will not even send the request.
You should have the sequence changed)) I wrote the same thing only in other words? Meaning to rewrite my answer?
And
NS records of a domain to explicitly specify all subdomains.

This is not done with NS records and A records and AAAA. If perefraziruete answers, do it correctly. - Erich83 commented on June 14th 19 at 20:45
Thank you, Boris, for your attention to my question.

If I understand Vladimir, who replied above, no certificate (self-subscription or purchase) on the NGINX level it is impossible to give a 403 response?

And You write "Option 1: score on the invalid certificate anyway, to give 403" how to do it then? - keara_Mosciski commented on June 14th 19 at 20:48
as I wrote in your option 1, put Samovodene certificate. His answers simply paraphrased. - Erich83 commented on June 14th 19 at 20:51
if you for a few seconds before he wrote his response, this does not mean that I saw him at the time of writing your response. Can be proud of their response further.

to use any certificate. Can a self-signed (e.g. /etc/nginx/snippets/snakeoil.conf). From the base domain. - keara_Mosciski commented on June 14th 19 at 20:54
,
if you for a few seconds before he wrote his response, this does not mean that I saw him at the time of writing your response. Can be proud of their response further.
I apologize then for the tone, but just didn't think about that because You just copied the same items) - Erich83 commented on June 14th 19 at 20:57

Find more questions by tags NginxHTTPSDigital certificates