Ubuntu 20.04.3 LTS
nginx version: nginx/1.20.2


I was looking to use nginx as a reverse proxy for incoming ssl traffic. nginx has no certs, it is using ssl_preread to get the server name and rout it to the backend.
I have one server listening on port 80 which does a redirect to port 443

really simple and it does work..

my firewall forwards ports 80 and 443 to nginx which in turn sends the traffic to the backend server.

----------------- my config -----------------------------

server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}

stream {

map $ssl_preread_server_name $name {

mosa.citystates.net other-server;
}



upstream other-server{
server 192.168.10.166:443;
}

server {
listen 443;
proxy_pass $name;
ssl_preread on;
}
}

--------------------------------------------------------------------------------------


so what happens when servername in the request does not match any of the names in the stream map ? How do i gracefully send thos requests to the bit bucket ?

for example : if my dns resolves the wrong domain to my nginx server, nginx could get a request for abc.citystates.net which does not match any of the names in its map. what is the expected response here? what I goes was a response from mosa.citystates.net saying " The provided host name is not valid for this server " and it also sent the mosa.citystates.net cert back with the response which has really confused me.

my expectation was that something not matching the stream map would get dropped. and i'd also not expect it to forward the request to a server whos name did not match.

note also if i just go to the ip address of the nginx server i get "this site cant be reached" with no cert which is much more inline with what i though should happen.

so, I realize this has been a bit long, i am new to nginx so succinct descriptions of the issue are a bit beyond me right now.

any thoughts on how to address this really helpful
-FG