Welcome! Log In Create A New Profile

Advanced

how to deal with unexpected traffic securely

Posted by genfoch01 
how to deal with unexpected traffic securely
January 23, 2022 05:43PM
Ubuntu 20.04.3 LTS
nginx version: nginx/1.20.2


I was looking to use nginx as a reverse proxy for incoming ssl traffic. nginx has no certs, it is using ssl_preread to get the server name and rout it to the backend.
I have one server listening on port 80 which does a redirect to port 443

really simple and it does work..

my firewall forwards ports 80 and 443 to nginx which in turn sends the traffic to the backend server.

----------------- my config -----------------------------

server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}

stream {

map $ssl_preread_server_name $name {

mosa.citystates.net other-server;
}



upstream other-server{
server 192.168.10.166:443;
}

server {
listen 443;
proxy_pass $name;
ssl_preread on;
}
}

--------------------------------------------------------------------------------------


so what happens when servername in the request does not match any of the names in the stream map ? How do i gracefully send thos requests to the bit bucket ?

for example : if my dns resolves the wrong domain to my nginx server, nginx could get a request for abc.citystates.net which does not match any of the names in its map. what is the expected response here? what I goes was a response from mosa.citystates.net saying " The provided host name is not valid for this server " and it also sent the mosa.citystates.net cert back with the response which has really confused me.

my expectation was that something not matching the stream map would get dropped. and i'd also not expect it to forward the request to a server whos name did not match.

note also if i just go to the ip address of the nginx server i get "this site cant be reached" with no cert which is much more inline with what i though should happen.

so, I realize this has been a bit long, i am new to nginx so succinct descriptions of the issue are a bit beyond me right now.

any thoughts on how to address this really helpful
-FG
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 123
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready