nginx prevent process undefined server names

Use default_server to prevent processing requests with undefined server names

http {
...

  server {
    listen 80 default_server;
    listen [::]:80 default_server;
    # close connection
    return 444;
  }
}

If use http to https redirect

http {
...
  server {
    listen 80;
    listen [::]:80;
    name_server _;

    location ^~ /.well-known/acme-challenge {
      # Install https://certbot.eff.org/
      # letsencrypt/certbot certonly --webroot --email [email protected] --agree-tos --sta$
      default_type text/plain;
      root /etc/letsencrypt/webroot;
      try_files $uri $uri/ =404;
    }

    location / {
      # redirect all requests to https
      return 301 https://$host$request_uri;
    }
  }

  server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    name_server _;
    # Enable SSL
    ssl on;
    ssl_certificate /etc/ssl/private/local.crt;
    ssl_certificate_key /etc/ssl/private/local.key;
    # close connection
    return 444;
  }
}

 

HPKP with letsencrypt and nginx

Get SPKI-hash

Let’s Encrypt Authority X4

curl https://letsencrypt.org/certs/lets-encrypt-x4-cross-signed.pem | openssl x509 -pubkey | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64

Let’s Encrypt Authority X3

curl https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem | openssl x509 -pubkey | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64

ISRG Root X1

curl https://letsencrypt.org/certs/isrgrootx1.pem | openssl x509 -pubkey | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64

Add config to nginx

add_header Public-Key-Pins 'pin-sha256="X4-Hash"; pin-sha256="X3-Hash"; pin-sha256="X1-Hash"; max-age=15768000;';

Reload nginx

nginx -s reload

 

nginx config

/etc/nginx/nginx.conf

/etc/nginx/conf.d/http/letsencrypt.conf

/etc/nginx/conf.d/http/web.conf

/etc/nginx/conf.d/stream/mariadb.conf