Score:0

Return 444 Instead of 400

mt flag

If someone makes an http request to an https resource on my nginx server, they get an error 400. "The plain HTTP request was sent to HTTPS port" Is there a way to return 444 instead?

When I search for this error, I can only find people that have had configuration issues they were trying to fix. But in my case, my configuration is fine - I'm trying to minimize impact of illegitimate requests.

Edit: I'm using this to prevent direct IP access to my server. If someone makes an http request, they get response 400 instead of 444. I just want no response.

server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    ssl_certificate /etc/nginx/ssl/n.pem;
    ssl_certificate_key /etc/nginx/ssl/n2.pem;
    server_name _;
    return 444;
}
vn flag
This probably needs to be tackled at the application level.
Gerard H. Pille avatar
in flag
It would be better not to answer at all. Sending http to the https port takes effort, it can hardly be a mistake.
mt flag
That's what I'm trying to figure out how to do. How do I just not answer at all, instead of returning error 400?
Michael Hampton avatar
cz flag
nginx handles that scenario internally. It is not something you can (or should) control.
Score:0
cn flag

It's possible to have nginx respond with 444 this way:

error_page 497 =444 /444.html;

location = /444.html {
        return 444;
}
Michael Hampton avatar
cz flag
Where does the 497 error come from?
devitrified avatar
cn flag
497 is the error code for HTTP Request Sent to HTTPS Port (https://en.wikipedia.org/wiki/List_of_HTTP_status_codes)
Michael Hampton avatar
cz flag
Interesting. I've never actually seen nginx send that code (and it sends 400 on my production boxes). When was this added and/or how do you enable it?
devitrified avatar
cn flag
It's not officially documented, so very little info is available
Michael Hampton avatar
cz flag
Have you actually tried it to see if it works?
devitrified avatar
cn flag
Of course, that's why i've posted it here. If you use a non-standard port for https you'll get baidu spiders and others hitting it eventually. They get 444 with this solution
Michael Hampton avatar
cz flag
OK, so how do you actually get it to work?
devitrified avatar
cn flag
Just copy/paste these lines inside your server block and restart nginx
Michael Hampton avatar
cz flag
On what version of nginx?
devitrified avatar
cn flag
I'm using nginx/1.15.8
Michael Hampton avatar
cz flag
That's even stranger, because I just tried it on 1.20.0 and it returns 400, not 497. Maybe this has been removed from the code.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.