0

have an interesting issue regarding the nginx default behavior when HTTPS / SSL is not configured for a specific vhost and a HTTPS request is started for a domain of this it. I discovered this issue by testing Let's Encrypt on my ISPConfig installation.

Here my server configuration:

  • Debian 9 (Stretch)
  • nginx/1.10.3; built with OpenSSL 1.1.0f 25 May 2017 (running with OpenSSL 1.1.0k 28 May 2019); TLS SNI support enabled

Now the issue: Requesting a website via HTTPS for a vhost which is not configured for SSL is causing the browser to show an other random page that is configured for HTTPS. So far I figured this out like this:

  • The Server is requested to load the domain abc.com via HTTPS
  • Due to the fact that HTTPS / SSL is not configured for this vhost but a HTTPS connection is requested, the server is looking up a vhost which is configured for HTTPS / SSL and flagged as "default_server"
  • Due to the fact that there isn't such a vhost (it cannot because there is no domain for it and therefore there is no valid certificate) nginx is establishing a HTTPS connection with the SSL certificate from a random vhost e.g. for xyz.com
  • This causes some browsers to show a security warning, that the CN, the certificate is issued for, is not the domain requested. Ignoring the security warning will load the xyz.com, mentioned in the certificate via HTTPS. Other browsers are redirecting to this domain directly without any warning.

Due to security concerns the browser behavior is correctly.

My question:

Is it possible to configure nginx to deliver the website via HTTP if HTTPS is not configured and if not, how can I return a 503 instead of using a random certificate.

Improve this question
1
  • Nginx server names check whenever the browser actually sends the server name. If it doesn't nginx will only have the IP and naturally returns a 443 configured for it. As for a redirect there are many examples of http to https redirect which work the same. In theory you don't need a certificate at all in that case but some browsers might still complain. The alternative is to have an individual IP for that vhost.
    – Seth
    Commented Jul 10, 2019 at 10:09

1 Answer 1

Reset to default
0

Is it possible to configure nginx to deliver the website via HTTP if HTTPS is not configured

No. If the client connects to port 443, expecting to speak TLS, it will speak TLS. If nginx tried to send some other kind of reply (instead of responding to the TLS handshake), like a plaintext HTTP reply, the client's TLS library would just reject it as an unrecognized/corrupted packet.

and if not, how can I return a 503 instead of using a random certificate.

Also no. When nginx receives a TLS handshake on the HTTPS port, it has only two choices: either finish the handshake using some other certificate, or completely refuse the TLS handshake.

It cannot send a plaintext HTTP response (it would get discarded), and it cannot send an HTTPS response either, because that's only possible after the TLS handshake – that is, after certificate exchange.

The easiest solution – especially if you actually have security concerns – is to enable HTTPS for all your vhosts. Certificates for all of them can be obtained for free.

The cheap solution is to create a dummy "default server" with its own certificate (which could be a self-signed certificate, e.g. for example.com or invalid.invalid) and configured to always return an HTTP error if visited.

Improve this answer
2
  • Thanks for your answer. I understand that there are only these two option for nginx but i wolud rather go with a 503 if there is no HTTPS configured for the requested domain than accepting a connection with a certificate not issued for that domain. Is there a way to do this?
    – Shinichi
    Commented Jul 10, 2019 at 11:01
  • No. If the client requests HTTPS, it is impossible for a webserver to send an HTTP status code until after the TLS certificate exchange happens. It can only abort the TLS handshake itself. (For example, as suggested here: security.stackexchange.com/q/55790/4258)
    – grawity_u1686
    Commented Jul 10, 2019 at 11:05

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .