0

This is the server block I have that handles https connections:

server {

 listen xxx.xxx.xxx.xxx:443 ssl;
 listen xxx.xxx.xxx.xxx:8443 ssl;
 server_name subd.domain.com;
 proxy_read_timeout 720s;
 proxy_connect_timeout 720s;
 proxy_send_timeout 720s;

 # Add Headers for odoo proxy mode
 proxy_set_header X-Forwarded-Host $host;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto $scheme;
 proxy_set_header X-Real-IP $remote_addr;

 # SSL parameters

 ssl_certificate /xxxx.cer ;
 ssl_certificate_key /xxxx.key ;
 ssl_session_timeout 30m;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
 ssl_prefer_server_ciphers on;

 # log
 access_log /var/log/nginx/xxxx.access.log;
 error_log /var/log/nginx/xxxx.error.log;

  # Redirect requests to backend server
 location / {
   proxy_redirect off;
   proxy_pass http://xxxx;
 }

It works fine when I use the domain name in the browser. The problem is when I use only the IP: https://xxx.xxx.xxx.xxx

Nginx redirects me to the location described in this block, but with no ssl, it says that the certificate is not valid.

My initial thought is that the certificate specifies a domain and it doesn't match with the ip address I'm using (since there is no domain provided).

If this is true why Nginx keeps returning the page content in a unsercure way? I'd like that if nginx can't assume a secure connection in this block it would refuse it in some way.

How could I achieve this behaviour?

Aleix
  • 431
  • 4
  • 20
  • 1
    Why do you think that nginx returns your page in a insecure way? Your connection is still encrypted, but your browser warns you that the certificate doesn't match the domain you visited. If you don't want to serve requests that comes without the host name, see [this](https://stackoverflow.com/questions/60362642/nginx-doesnt-listen-on-port-80-twice/60362700#60362700) answer. – Ivan Shatsky Jun 02 '20 at 10:48
  • Thanks for your answer Ivan. If I try to redirect ip:8443 or ip:443 to a 404 page nginx ask me to specify a ssl certificate in the server block. Is there a way to restrict this situations without specifying again the ssl certificate? – Aleix Jun 02 '20 at 11:58
  • 1
    No, any answer from nginx over ssl enabled connection needs a certificate to encrypt it. And since you can't get a valid cert for your IP address (although technically it is possible) any such connection would be insecure from the browser's point of view :) For myself I found an acceptable solution to use 444 code (immediately close the connection). – Ivan Shatsky Jun 02 '20 at 12:10
  • Ok. I'll try to use the unsafe certificate and 444. I guess not, but isn't there a way to catch all traffic from the ip (withouth specifiyng the port)? Thanks for your patience. – Aleix Jun 02 '20 at 12:21
  • 1
    You can specify several `listen` directives in a server block, e.g. `listen 80; listen 443 ssl; ...` – Ivan Shatsky Jun 02 '20 at 12:35
  • What I tried now ```listen ip:8443 listen ip:443``` and ```rewrite``` to a domain (which will be used as a default domain). Somehow I don't like 100% this solution, I don't want to use a certificate that is not 'the correct' one. But I guess that under a security point of view there is no warning wether the server could be compromised. – Aleix Jun 02 '20 at 12:40

1 Answers1

0

As Ivan Shatsky mentions in the comments the content that the server returned was under ssl but the browser identified it as not completely secure because of the host name missing in the request.

What I finally did was to create a server block that uses the current certificates (although don't fit 100%) to listen to ports 8443 and 443 under the ip with no domain and rewrite its requests with a domain (one that I choosed as a default one).

Aleix
  • 431
  • 4
  • 20