From 2a556f47214b50e2638d3d97a2c3d9c1d02798fe Mon Sep 17 00:00:00 2001 From: Asif Bacchus Date: Fri, 4 Jan 2019 02:36:58 -0700 Subject: [PATCH] server configs: drop and redirect-HTTPS --- availableSites/catch-all_dropConnection.conf | 29 ++++++++++++++++++++ availableSites/redirectHTTPS.conf | 16 +++++++++++ 2 files changed, 45 insertions(+) create mode 100644 availableSites/catch-all_dropConnection.conf create mode 100644 availableSites/redirectHTTPS.conf diff --git a/availableSites/catch-all_dropConnection.conf b/availableSites/catch-all_dropConnection.conf new file mode 100644 index 0000000..696b9ff --- /dev/null +++ b/availableSites/catch-all_dropConnection.conf @@ -0,0 +1,29 @@ +####### +### NGINX server configuration +### Drop all connections that do not match configured servers +####### + +# Drop connections over HTTP by default +server { + listen 80 default_server; + listen [::]:80 default_server; + + # have nginx silently drop the connection + return 444; +} + +# Drop connections over HTTPS by default +# This could only happen after user proceeds past certificate mismatch warning +# or if using a wildcard certificate where obviously not all possible hosts +# could be configured. +# Respond with default certificates then drop connection +server { + listen 443 default_server ssl http2; + listen [::]:443 default_server ssl http2; + + # SSL certificates for this server + include /etc/nginx/snippets/ssl/ssl_certs.conf; + + # have nginx silently drop the connection + return 444; +} diff --git a/availableSites/redirectHTTPS.conf b/availableSites/redirectHTTPS.conf new file mode 100644 index 0000000..05c34ea --- /dev/null +++ b/availableSites/redirectHTTPS.conf @@ -0,0 +1,16 @@ +####### +### NGINX server configuration +### Redirect to secure connection +####### + +server { + listen 80; + listen [::]:80; + + server_name server.domain.tld + subdomain.server.domain.tld + subdomain2.server.domain.tld; + + # redirect to properly formed HTTPS request + return 301 https://$host$request_uri; +}