Server IP resolves to first site

[af1]

I have a server with several sites on it. When I put the IP address of the server into a web browser one of the sites shows up. I feel the expected behavior here is to return 444, not forward to a domain.

[joebailey26]

I had the same issue, so I added the following code to the top of the default Nginx file found at /opt/easyengine/services/nginx-proxy/conf.d/default.conf

server {
	server_name _; # This is just an invalid value which will never trigger on a real hostname.
	listen 80;
	return 503;
}

Note, this only works for HTTP. I could not get it working for HTTPS.

[af1]

Thanks for that!

A fix for HTTPS would be great.

[mikelittle]

A solution for both HTTP and HTTPS might look like this:

server {
    listen 443 default_server deferred ssl;
    listen [::]:443 default_server deferred ssl;
    ssl_reject_handshake on;
    return 444;
}
server {
    listen 80 default_server deferred;
    listen [::]:80 default_server deferred;
    return 444;
}

Note: 444 is returned, which instructs Nginx to drop the connection rather than return an error page. The user sees "This site can’t be reached" in the browser.

Refs:

• https://nginx.org/en/docs/http/request_processing.html#how_to_prevent_undefined_server_names
• https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake

[af1]

Hey @mikelittle thanks so much for that. I did something similar on my own referencing the docs, and it still redirects to the first site created when going to the server IP.

To clarify, I put your code as the the top server block of /opt/easyengine/services/nginx-proxy/conf.d/default.conf

It still had the issue once I restarted NGINX, and once I rebooted the server, the changes were gone from the config.

[mikelittle]

I think this is because you can't have default_server twice. If I change it to

server {
    listen 443 deferred ssl;
    listen [::]:443 deferred ssl;
    ssl_reject_handshake on;
    return 444;
}
server {
    listen 80 default_server deferred;
    listen [::]:80 default_server deferred;
    return 444;
}

it works.

(I was only checking with curl -I so I didn't see that it was returning the first site home page. Sorry!)

[joebailey26]

Thanks for your help @mikelittle.

I've tried your updated code but SSL still redirects to a site on my server rather than dropping the connection. Here's the output from curl.

curl https://167.71.133.231 --insecure -v
*   Trying 167.71.133.231:443...
* Connected to 167.71.133.231 (167.71.133.231) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: O=CloudFlare, Inc.; OU=CloudFlare Origin CA; CN=CloudFlare Origin Certificate
*  start date: Dec 19 15:33:00 2019 GMT
*  expire date: Dec 15 15:33:00 2034 GMT
*  issuer: C=US; O=CloudFlare, Inc.; OU=CloudFlare Origin SSL Certificate Authority; L=San Francisco; ST=California
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fb7d5812800)
> GET / HTTP/2
> Host: 167.71.133.231
> user-agent: curl/7.79.1
> accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 301 
< server: nginx
< date: Wed, 22 Mar 2023 13:58:17 GMT
< content-type: text/html
< content-length: 162
< location: https://blossomtreephoto.co.uk/
< x-powered-by: EasyEngine v4.6.5
< 
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>

[af1]

I also can't figure out a spot to place the code that isn't wiped after a reboot.

[gingerbeardman]

Also bothered by this, mostly because the first site I set up is one I don't want to be seen much!

[perochak]

I was facing the same. Disabling and then re-enabling website fixed the issue

[gingerbeardman]

I was facing the same. Disabling and then re-enabling website fixed the issue

@perochak Can you please go into more detail? Thanks.

[af1]

I was facing the same. Disabling and then re-enabling website fixed the issue

I tried the same and it didn't work for me. Same issue.

[perochak]

@gingerbeardman @af1

I have 3 websites published first on the server. 1 was pointing to a domain and 2 were not.
I pointed 3rd to domain but 2nd was not yet.
So, it was behaving wired. Sometime, 3rd start loading contents of 1st site and sometime 2nd.
I disabled 2 and 3rd one and then enabled 3rd one and it fixed the issue.

[gingerbeardman]

Thank you, but sadly that does not work for me.

So, I still have the problem.

[af1]

Thank you to @ssuess here

ok this took way longer than I wanted, but I have a good solution (for my needs anyway):

ee site create 1.1.1.1 (put your IP in there)
ee site update 1.1.1.1 --ssl=self

then, edit the index.html file inside htdocs to say whatever you want. Mine says "Nothing to see here."

[gingerbeardman]

Thanks!

FYI I got a browser warning about SSL certificate mismatch (SSL from my first site) and also 502 Bad Gateway. I disabled and re-enabled the first site and everything is working nicely.

[gingerbeardman]

Would be good to not have to workaround this.