Hello there. This time I've got and interesting issue regarding the nginx default behavior when HTTPS / SSL is not configured for a specific vhost and a HTTPS request is started for a domain of this vhost. I discovered this issue by testing Let's Encrypt on my ISPConfig installation. Due to the fact, that this issue is related to nginx directly I posted in here, not in the ISPConfig forums. Here my server configuration: Debian 9 (Stretch) nginx/1.10.3; built with OpenSSL 1.1.0f 25 May 2017 (running with OpenSSL 1.1.0k 28 May 2019); TLS SNI support enabled Now the issue: Requesting a website via HTTPS for a vhost which is not configured for SSL is causing the browser to show an other random page that is configured for HTTPS. So far I figured this out like this: The Server is requested to load the domain abc.com via HTTPS Due to the fact that HTTPS / SSL is not configured for this vhost but a HTTPS connection is requested, the server is looking up a vhost which is configured for HTTPS / SSL and flagged as "default_server" Due to the fact that there isn't such a vhost (it cannot because there is no domain for it and therefore there is no valid certificate) nginx is establishing a HTTPS connection with the SSL certificate from a random vhost e.g. for xyz.com This causes some browsers to show a security warning, that the CN, the certificate is issued for, is not the domain requested. Ignoring the security warning will load the xyz.com, mentioned in the certificate via HTTPS. Other browsers are redirecting to this domain directly without any warning. Due to security concerns the browser behavior is correctly. My question: Is it possible to configure nginx to deliver the website via HTTP if HTTPS is not configured and if not, how can I return a 503 instead of using a random certificate. Thanks in advance.
Unfortunately this can't be done because the TLS-Handshake has done before the HTTP-Status-Code can be sent. So the solution here will be to include a fake certificate to the https-section of the default-vhost and then return a 403. (https://security.stackexchange.com/...equests-with-undefined-server-names-with-http)
If you searched properly, I think you should find that mixing site with https and with http only in ISPConfig will produce problem like the one you mentioned i.e. https to website without ssl will go to the site with ssl in the same server.
Correct. There is no real good solution for this, it applies to apache as well. The options are: 1) Enable SSL for all websites and domains. Not that big problem anymore since there are free LE SSL certs. 2) Use two IP addresses. Use one for sites with SSL and the other one for sites without SSL and configure nginx to listen on the one IP on port 80 only. 3) The option that you described to use a default vhost for SSL which will then produce an SSL error as the requested domain is not in the ssl cert of that default vhost.
