1

  1. Have two server blocks.

  2. default_server block inside http block of nginx.conf:

server {
   server_name _;
   listen 80 default_server;
   listen [::]:80 default_server ipv6only=on;
   listen 443 default_server;
   return 404;
}
include /etc/nginx/sites-enabled/*;
  1. A working domain/website block inside sites-enabled:
server {
  listen 80;
  listen 443;
  server_name example.com;
  return 301 https://www.$server_name$request_uri;
}

server {
  listen 80;
  listen 443 ssl;
  root /var/www/example.com/htdocs/;
  index index.html index.htm;

  server_name www.example.com;
}

(I have this setup to redirect all non-www to www and all http to https)

  1. I have a cert for both non-www and www for my domain. Nginx for some reason is calling any subdomain instead of giving default website cannot be found/ERR_CONNECTION_RESET/ error.

  2. For example if I go to https://asdf.example.com/ Nginx calls it and browser tells you it's insecure SSL cert, then you accept it anyway and get a 404 page.

  3. How do I jump to 404 page skipping the invalid cert message or how do I jump straight to 'page not found' and not the 404? E.g. like go to https://asdf.serverfault.com it doesn't give a 404, it gives a ERR_CONNECTION_RESET/. I want that for all non-existent subdomains and domains on my server.

update: Could it be that all my ssl_certificate lines are added to main http block too? If so, still doesn't solve calling for ERR_CONNECTION_RESET and not 404 like given example on 6..

Improve this question

1 Answer 1

Reset to default
1

If you open https://asdf.example.com directly then browser will resolve asdf.example.com to an IP address and then connect to it using HTTPS protocol. If server (with retrieved IP) is listening on 443 port and returns no certificate for this domain, or an invalid one than browser will warn you about insecure protocol before finishing up the request (e.g. displaying 404 error).

https://asdf.serverfault.com gives an connection error because this subdomain is not registered, it has no IP address. That's why you see this error. If you want to make sure asdf.example.com returns an connection error instead of ssl warning then make sure that this subdomain is not registered and there is no wildcard (*) record for example.com.

Improve this answer
10
  • You mean no CNAME with wildcard for example.com in the DNS records?
    – user3108268
    Nov 9, 2017 at 21:06
  • https://asdf.serverfault.com does not give a ERR_CONNECTION_RESET since there is no connection which could have been resetted. As you correctly said the site has no entry in DNS and thus the client fails to determine an IP address for the site which means that it cannot create a TCP connection to it. But ERR_CONNECTION_RESET is the result of receiving a RST packet on an established TCP connection, which does not exist in this case.
    – Steffen Ullrich
    Nov 9, 2017 at 21:07
  • @SteffenUllrich Chrome reports ERR_CONNECTION_RESET. Also if server didn't listen to 443 then how would SSL work, I'm not following. You're suggesting to remove listen 443 default_server;?
    – user3108268
    Nov 9, 2017 at 21:08
  • 1
    My chrome reports DNS_PROBE_FINISHED_NXDOMAIN. Chrome might report ERR_CONNECTION_RESET if you connect through a proxy and only the proxy tries to resolve the domain name. In this case there is a TCP connection to the proxy which can be resetted.
    – Steffen Ullrich
    Nov 9, 2017 at 21:10
  • @SteffenUllrich You are right, it is not ERR_CONNECTION_RESET in this case.
    – Paweł Tatarczuk
    Nov 9, 2017 at 21:11

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .