Hi,
My own domain, let's say 'example.com', is registered in the HSTS preload
database (https://hstspreload.org).
I setup my domain as virtual host in Nginx,
/etc/nginx/sites-enabled/example.conf
server {
listen 172.17.0.1:80;
server_name example.com www.example.com;
location / {
return 301 https://example.com$request_uri;
}
}
server {
listen 172.17.0.1:443 ssl http2;
server_name example.com www.example.com;
ssl_trusted_certificate "/etc/ssl/trusted.crt.pem";
ssl_certificate "/etc/ssl/chain.crt.pem";
ssl_certificate_key "/etc/ssl/privkey.pem";
add_header Strict-Transport-Security
"max-age=315360000; includeSubDomains; preload";
location / {...}
}
The cert is good for example.com + www.example.com.
When I go to
https://example.com
it works like you would expect.
I also set up a fallback, default server in my main nginx config
/etc/nginx/nginx.conf
...
server {
listen 80 default_server;
listen [::]:80 ipv6only=on default_server;
server_name _;
return 301 https://$host;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 ipv6only=on default_server;
server_name _;
ssl_trusted_certificate "/etc/ssl/trusted.crt.pem";
ssl_certificate "/etc/ssl/null.crt.pem";
ssl_certificate_key "/etc/ssl/nullkey.pem";
return 444;
}
include sites-enabled/*.conf;
If I go to a subdomain of my domain that has a DNS A-record pointing to the
same IP, but no Nginx virtual hosted site,
https://subdomain.example.com
in the browser I get this message
Did Not Connect: Potential Security Issue
Firefox detected a potential security threat and did not continue to
subdomain.example.com because this website requires a secure connection.
What can you do about it?
subdomain.example.com has a security policy called HTTP Strict
Transport Security (HSTS), which means that Firefox can only connect to it
securely. You can’t add an exception to visit this site.
The issue is most likely with the website, and there is nothing you
can do to resolve it. You can notify the website’s administrator about the
problem.
Learn more…
Websites prove their identity via certificates. Firefox does
not trust this site because it uses a certificate that is not valid for
subdomain.example.com. The certificate is only valid for the following names:
example.com, www.example.com
Error code: SSL_ERROR_BAD_CERT_DOMAIN
View Certificate
I expect it to fail with a 444, and only have info about the failed subdomain.
Why does it respond with cert info about the "example.com, www.example.com
" certs at all? Those are only for the full-domain site.
What do I need to set up to just get a fallback 444 response and NO information
about any other domain's certs etc, when I visit the un-hosted
subdomain.example.com?
_______________________________________________
nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx
