have an interesting issue regarding the nginx default behavior when HTTPS / SSL is not configured for a specific vhost and a HTTPS request is started for a domain of this it. I discovered this issue by testing Let's Encrypt on my ISPConfig installation.
Here my server configuration:
- Debian 9 (Stretch)
- nginx/1.10.3; built with OpenSSL 1.1.0f 25 May 2017 (running with OpenSSL 1.1.0k 28 May 2019); TLS SNI support enabled
Now the issue: Requesting a website via HTTPS for a vhost which is not configured for SSL is causing the browser to show an other random page that is configured for HTTPS. So far I figured this out like this:
- The Server is requested to load the domain abc.com via HTTPS
- Due to the fact that HTTPS / SSL is not configured for this vhost but a HTTPS connection is requested, the server is looking up a vhost which is configured for HTTPS / SSL and flagged as "default_server"
- Due to the fact that there isn't such a vhost (it cannot because there is no domain for it and therefore there is no valid certificate) nginx is establishing a HTTPS connection with the SSL certificate from a random vhost e.g. for xyz.com
- This causes some browsers to show a security warning, that the CN, the certificate is issued for, is not the domain requested. Ignoring the security warning will load the xyz.com, mentioned in the certificate via HTTPS. Other browsers are redirecting to this domain directly without any warning.
Due to security concerns the browser behavior is correctly.
My question:
Is it possible to configure nginx to deliver the website via HTTP if HTTPS is not configured and if not, how can I return a 503 instead of using a random certificate.