Hi,

My own domain, let's say 'example.com', is registered in the HSTS preload database (https://hstspreload.org).

I setup my domain as virtual host in Nginx,

/etc/nginx/sites-enabled/example.conf

server {
listen 172.17.0.1:80;
server_name example.com www.example.com;
location / {
return 301 https://example.com$request_uri;
}
}

server {
listen 172.17.0.1:443 ssl http2;
server_name example.com www.example.com;

ssl_trusted_certificate "/etc/ssl/trusted.crt.pem";
ssl_certificate "/etc/ssl/chain.crt.pem";
ssl_certificate_key "/etc/ssl/privkey.pem";

add_header Strict-Transport-Security "max-age=315360000; includeSubDomains; preload";

location / {...}
}

The cert is good for example.com + www.example.com.

When I go to

https://example.com

it works like you would expect.


I also set up a fallback, default server in my main nginx config

/etc/nginx/nginx.conf

...
server {
listen 80 default_server;
listen [::]:80 ipv6only=on default_server;
server_name _;
return 301 https://$host;
}

server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 ipv6only=on default_server;
server_name _;

ssl_trusted_certificate "/etc/ssl/trusted.crt.pem";
ssl_certificate "/etc/ssl/null.crt.pem";
ssl_certificate_key "/etc/ssl/nullkey.pem";

return 444;
}
include sites-enabled/*.conf;

If I go to a subdomain of my domain that has a DNS A-record pointing to the same IP, but no Nginx virtual hosted site,

https://subdomain.example.com

in the browser I get this message

Did Not Connect: Potential Security Issue
Firefox detected a potential security threat and did not continue to subdomain.example.com because this website requires a secure connection.
What can you do about it?
subdomain.example.com has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site.
The issue is most likely with the website, and there is nothing you can do to resolve it. You can notify the website’s administrator about the problem.
Learn more…

Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for subdomain.example.com. The certificate is only valid for the following names: example.com, www.example.com

Error code: SSL_ERROR_BAD_CERT_DOMAIN
View Certificate

I expect it to fail with a 444, and only have info about the failed subdomain.

Why does it respond with cert info about the "example.com, www.example.com
" certs at all? Those are only for the full-domain site.

What do I need to set up to just get a fallback 444 response and NO information about any other domain's certs etc, when I visit the un-hosted subdomain.example.com?

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx