====== Сервер по-умолчанию в nginx ====== Чтобы избежать открытия рандомного сайта по IP адресу и обрабатывать все неизвестные запросы нам нужно создать виртуальный хост "по-умолчанию". Создаём новый файл ''default_server.conf'' в директории ''/etc/nginx/conf.d'' Не забываем про include в секции http http { include /etc/nginx/conf.d/*.conf; } Сервер по-умолчанию на 80 порту server { listen 1.2.3.4:80 default_server; listen [::]:80 default_server; server_name _; server_name_in_redirect off; log_not_found off; return 410; } Для HTTPS немного сложнее. (см. [[https://nginx.org/ru/docs/http/request_processing.html|Как nginx обрабатывает запросы]]) Здесь нам поможет [[https://en.wikipedia.org/wiki/Snake_oil|змеиное масло]] :) Создаём self-signed сертификат для default_server. {{:linux:nginx:ssl_self_signed.jpg?nolink|}} openssl req -newkey rsa:2048 -nodes -keyout snakeoil_key.pem -x509 -days 3650 -out snakeoil_crt.pem Сервер по-умолчанию на 443 порту server { listen 1.2.3.4:443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; server_name _; ssl_certificate /etc/nginx/ssl/snakeoil_crt.pem; ssl_certificate_key /etc/nginx/ssl/snakeoil_key.pem; server_name_in_redirect off; log_not_found off; return 410; # в большинстве howto используется 444 } Вместо ''return 444'' можно использовать ''return 410''. Код **410 Gone** сообщит ботам и поисковым системам, что URL можно удалить и никогда не индексировать его. {{:linux:nginx:nginx_default_server_410.png?nolink&600|}} Проверим через curl **return 410** # curl -D -k -s -v http://1.2.3.4 * About to connect() to 1.2.3.4 port 80 (#0) * Trying 1.2.3.4... * Connected to 1.2.3.4 (1.2.3.4) port 80 (#0) > GET / HTTP/1.1 > User-Agent: curl/7.29.0 > Host: 1.2.3.4 > Accept: */* > < HTTP/1.1 410 Gone < Server: nginx/1.16.1 < Date: Sat, 18 Apr 2020 16:31:34 GMT < Content-Type: text/html < Content-Length: 143 < Connection: keep-alive < 410 Gone

410 Gone

nginx/1.16.1
* Connection #0 to host 1.2.3.4 left intact # curl -D -k -s -v https://1.2.3.4 * About to connect() to 1.2.3.4 port 443 (#0) * Trying 1.2.3.4... * Connected to 1.2.3.4 (1.2.3.4) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Server certificate: * subject: CN=RTFM,OU=RTFM,O=RTFM,L=RTFM,ST=RTFM,C=UK * start date: Apr 17 16:36:35 2020 GMT * expire date: Apr 15 16:36:35 2030 GMT * common name: RTFM * issuer: CN=RTFM,OU=RTFM,O=RTFM,L=RTFM,ST=RTFM,C=UK * NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER) * Peer's certificate issuer has been marked as not trusted by the user. * Closing connection 0 **return 444** # curl -D -k -s -v http://1.2.3.4 * About to connect() to 1.2.3.4 port 80 (#0) * Trying 1.2.3.4... * Connected to 1.2.3.4 (1.2.3.4) port 80 (#0) > GET / HTTP/1.1 > User-Agent: curl/7.29.0 > Host: 1.2.3.4 > Accept: */* > * Empty reply from server * Connection #0 to host 1.2.3.4 left intact # curl -D -k -s -v https://1.2.3.4 * About to connect() to 1.2.3.4 port 443 (#0) * Trying 1.2.3.4... * Connected to 1.2.3.4 (1.2.3.4) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Server certificate: * subject: CN=RTFM,OU=RTFM,O=RTFM,L=RTFM,ST=RTFM,C=UK * start date: Apr 17 16:36:35 2020 GMT * expire date: Apr 15 16:36:35 2030 GMT * common name: RTFM * issuer: CN=RTFM,OU=RTFM,O=RTFM,L=RTFM,ST=RTFM,C=UK * NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER) * Peer's certificate issuer has been marked as not trusted by the user. * Closing connection 0 {{tag>nginx default_server "return 444"}}