When we use CDN services such as CloudFlare, in addition to the function of saving traffic and speeding up access, an important function is to prevent exposing the real IP of the website, but if your NGINX is not properly configured, direct access to the server’s IP using the HTTPS protocol will expose a certificate pointing to a domain name on the server, which will be scanned by some Some services that scan the entire network for IP addresses get the correspondence between the domain name and the IP.

For example, if the server IP is 1.1.1.1 and two URLs are bound to it: a.com, b.com. both a.com and b.com use CDN services, a direct visit to https://a.com will get the URL of the CDN, e.g. 2.2.2.2. However, if NGINX is not configured correctly on the real server, an attacker accessing https: //1.1.1.1, the credentials of a.com will be displayed and the real server IP of a.com will be obtained.

There are many ways to circumvent this problem, such as generating fake certificates to configure to the default NGINX site, but they are more tedious. Starting with NGINX version 1.19.4, you can configure a default HTTPS server and set the ssl_reject_handshake parameter to on to resolve the issue.

1
2
3
4
5
server {
listen 443 default_server;
server_name _;
ssl_reject_handshake on;
}