Add 503 rules for nonexistent domain names

2017-11-23 16:23:27 -05:00 · 2017-11-23 16:23:27 -05:00 · 680988918e
commit 680988918e
parent a6e8fae7f5
1 changed files with 38 additions and 0 deletions
--- a/nginx.tmpl
+++ b/nginx.tmpl
@ -94,6 +94,16 @@ server {
 	return 503;
 }

+# Default server if unknown domain
+server {
+	listen 80;
+	{{ if $enable_ipv6 }}
+	listen [::]:80;
+	{{ end }}
+	access_log /var/log/nginx/access.log vhost;
+	return 503;
+}
+
 {{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
 server {
 	server_name _; # This is just an invalid value which will never trigger on a real hostname.
@ -108,6 +118,20 @@ server {
 	ssl_certificate /etc/nginx/certs/default.crt;
 	ssl_certificate_key /etc/nginx/certs/default.key;
 }
+
+# Default server if unknown domain
+server {
+	listen 443 ssl http2;
+	{{ if $enable_ipv6 }}
+	listen [::]:443 ssl http2;
+	{{ end }}
+	access_log /var/log/nginx/access.log vhost;
+	return 503;
+
+	ssl_session_tickets off;
+	ssl_certificate /etc/nginx/certs/default.crt;
+	ssl_certificate_key /etc/nginx/certs/default.key;
+}
 {{ end }}

 {{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}
@ -178,9 +202,23 @@ upstream {{ $upstream_name }} {
 {{/* Use the cert specified on the container or fallback to the best vhost match */}}
 {{ $cert := (coalesce $certName $vhostCert) }}

+
 {{ $is_https := (and (ne $https_method "nohttps") (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}

 {{ if $is_https }}
+# Default server if unknown domain
+server {
+	listen 443 ssl http2;
+	{{ if $enable_ipv6 }}
+	listen [::]:443 ssl http2;
+	{{ end }}
+	access_log /var/log/nginx/access.log vhost;
+	return 503;
+
+	ssl_session_tickets off;
+	ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }};
+	ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }};
+}

 {{ if eq $https_method "redirect" }}
 server {