Welcome! Log In Create A New Profile

Advanced

How to return 444 for only specific HTTP and HTTPS sites

Posted by TheConsumer 
How to return 444 for only specific HTTP and HTTPS sites
May 04, 2010 11:03PM
What I would like to achieve:

Access to ONLY servers defined, all others receive a 444.

What I am getting instead:

Desired behavior with port 80 traffic, port 443, not so much.

Is it possible, upon the socket being established, to return a RST _before_ the cert exchange? Perhaps upon the Client Hello? I've tried to achieve this with IPTables and string matches, but not all browsers send the $host in the Client Hello.

I've tried defining the 'wildcard' SSL server with the 'ssl off' parameter and no certs, which generates the desired RST, but doesn't allow access to the SSL site that I _want_ clients to access, https://dom4.net, it too gets an ACK/RST after the Hello.

[code]
server {
server_name _;
listen 80;
return 444;
}
server {
listen 80;
server_name dom1.org www.dom1.org sub1.dom1.org dom2.com *.dom2.com dom3.org *.dom3.org;
location / {
access_log /var/log/nginx/access.global.log;
proxy_pass http://1.2.3.4:80;
proxy_buffering on;
proxy_cache my-cache;
proxy_cache_valid 200 302 10m;
proxy_cache_valid 404 1m;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 1s;
}
}
server {
server_name _;
listen 443;
ssl on;
ssl_certificate /etc/nginx/mycert.crt;
ssl_certificate_key /etc/nginx/mycert.pem;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_prefer_server_ciphers on;
return 444;
}
server {
listen 443 ssl;
server_name dom4.net;
ssl_certificate /etc/nginx/mycert.crt;
ssl_certificate_key /etc/nginx/mycert.pem;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_prefer_server_ciphers on;
location / {
access_log /var/log/nginx/access.soni.ssl.log;
proxy_pass http://1.2.3.4:1234;
proxy_buffering on;
proxy_cache my-cache;
proxy_cache_valid 200 302 10m;
proxy_cache_valid 404 1m;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_pass_header Host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
}
[/code]

I posted a similar request here: http://forum.nginx.org/read.php?11,79112 -- But never received a response. I am hoping to achieve the above instead because it seems somehow more do-able.
Re: How to return 444 for only specific HTTP and HTTPS sites
July 07, 2010 04:43PM
...Anyone?
Re: How to return 444 for only specific HTTP and HTTPS sites
October 18, 2010 01:30PM
Anyone at all?
Re: How to return 444 for only specific HTTP and HTTPS sites
January 11, 2011 12:56PM
For anyone who is interested, I achieved this with iptables and a forced RST when the wrong subdomain is specified:

[code]
iptables -A INPUT -i eth0 -p tcp --tcp-flags FIN,PSH,ACK PSH,ACK --dport [Listener Port] -m connbytes --connbytes 3:3 --connbytes-dir original --connbytes-mode packets -m string --algo bm ! --string "[FQDN of vhost]" -j REJECT --reject-with tcp-reset
iptables -A INPUT -i eth0 -p tcp --dport [Listener Port] -j ACCEPT
[/code]
Re: How to return 444 for only specific HTTP and HTTPS sites
January 11, 2011 05:12PM
Note: the above solution only works with certain browsers, those which send the FQDN in the Client Hello.

Works: Firefox & Chrome.
Does not work: Internet Explorer & openssl s_client.

This solution is still satisfactory for my purposes.
Re: How to return 444 for only specific HTTP and HTTPS sites
June 10, 2024 10:32PM
```nginx
server {
listen 80;
server_name "";
return 444;
}
```

sourced from https://nginx.org/en/docs/http/request_processing.html by Igor Sysoev
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 182
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready