Join Log in
Score:0
avatar Server

nginx ipv6 SSL server block responding to basic http port 80 connections

in flag
Geuis

Running into an issue that I haven't seen before.

In my nginx config, I have a server block setup for a single subdomain that is only listening on port 443 (ssl).

However, when I test the connection out using port 80, its still responding. Very head scratching at the moment.

For example, curl http://blog.omgtrolls.com should not be able to connect, yet it does and spits out the site html etc. Running with verbose mode curl -v shows that it indeed is completing the connection on 80.

curl -v http://blog.omgtrolls.com
*   Trying 2607:f8b0:4005:814::200e...
* Connected to blog.omgtrolls.com (2607:f8b0:4005:814::200e) port 80 (#0)
> GET / HTTP/1.1
> Host: blog.omgtrolls.com
> User-Agent: curl/7.79.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx
< Date: Fri, 28 Apr 2023 01:02:17 GMT
< Content-Type: application/json; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: GET
< Strict-Transport-Security: max-age=31536000;
< 
* Connection #0 to host blog.omgtrolls.com left intact
<html>blah blah</html>

curl https://blog.omgtrolls.com of course works as expected.

Here's a simplified version of my setup:

I recently added a new _default.nginx config to my standard setup. (I have a single config repo that gets deployed to a couple of different servers. _default.nginx gets deployed to all of them. This config is meant to prevent domains pointing to the same server IP from being served other hosted sites.

I'm thinking perhaps that this may be related to this new problem.

# _default.nginx
# default server config to prevent undefined domains from returning responses.
server {
  listen 80 default_server;
  server_name _;
  return 404;
}

Next, I have a different nginx config file for the subddomain in question. Here's the simple version (domains changed to protect the innocent):

# omgtrolls.nginx
upstream nodejs_upstream{
  server 127.0.0.1:3000;
}

server {
  server_name blog.omgtrolls.com;

  listen [::]:443 ssl;

  root /usr/local/apps/omgtrolls/;

  add_header Strict-Transport-Security "max-age=31536000;" always;

  # required for LetsEncrypt
  location ~ /.well-known {
    allow all;
  }

  ssl_certificate /etc/letsencrypt/live/omgtrolls.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/omgtrolls.com/privkey.pem;

  location / {
    proxy_redirect off;
    proxy_set_header Connection "";
    proxy_http_version 1.1;
    proxy_cache off;
    proxy_cache_key sfs$request_uri$scheme;
    proxy_pass http://nodejs_upstream;
  }
}

Notice that I don't have a server block to catch port 80 requests and upgrade them to 443. I specifically have that bit disabled right now once I noticed this issue.

What should be happening is that I can only connect on https/443 and otherwise the connection should fail.

Is there something with my _default.nginx setup that is causing this?

51
0 + 0
ssl
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.