58

I have a website on a VPS.

The issue I am having is that when I enter the IP of the server, it links to the website.
Even when entering mail.domain.com, it does the same thing.

How do I disable that, so a visitor would get a message or be directed to the domain?

I tried disabling the IP and mail a record on cloud flare but it didn't work.

My setup is:

VPS on Linux Debian 
Nginx
no control panel just command line
Cloudflare
DNS setup with BIND
Improve this question
2
  • You could use .htaccess if it is an apache server.
    – Lorenz Meyer
    Mar 17, 2015 at 17:13
  • Fixed some grammar and formatting
    – Phantômaxx
    Mar 17, 2015 at 17:34

10 Answers 10

Reset to default
55 
server {
    listen      80 default_server;
    listen      [::]:80 default_server;
    server_name "";
    return      444;
}

You need to specify default_server parameter so that all non available server requests goes to this server block which throws 444 error.

444 : CONNECTION CLOSED WITHOUT RESPONSE

ref: https://httpstatuses.com/444

Improve this answer
5
  • 1
    You should explain what 444 means. I hadn't seen that one before. httpstatuses.com/444
    – mpen
    Oct 28, 2017 at 19:49
  • What about https?
    – mahfuz
    Nov 15, 2019 at 9:31
  • 2
    @mahfuz for https you can add listen 443 ssl;
    – user1642018
    Nov 21, 2019 at 4:58
  • for https you need to create self-signed cert. It's not possible to 444 reponse to https requests without having some certificate.
    – Howard
    Jan 8, 2020 at 16:40
  • @Howard But 444 is not a response. NGINX would just hang the connection up on return 444;.
    – Константин Ван
    Jun 19, 2021 at 0:32
41

You can use redirect, nginx config:

server {
        listen 80;
        server_name IP_ADDRESS;
        return 301 http://YOUR.DOMAIN;
}
Improve this answer
6
  • 2
    The specific issue that's addressed here is that the IP address has to be explicitly defined and redirected or blocked with a 403 or such. I had removed all references to my IP address in the config and it still showed up for the IP- it was driving me nuts. But it seems that it falls back to allowing IP access if not overwritten. Thanks!
    – Matt Fletcher
    Nov 27, 2015 at 13:45
  • This also only works for me when listen directive also has the exact IP otherwise nginx matched a more specific server block although the server_name didn't match.
    – Avamander
    May 15, 2018 at 18:14
  • How can I do a return 301 based on the visitor: if it is local, nginx should redirect to 192.168.., if it comes from remote, then domain.com.
    – Timo
    Jul 15, 2018 at 14:11
  • Put this in /etc/nginx/conf.d/default.conf
    – tread
    Jul 17, 2018 at 19:01
  • 2
    Thanks, this works for me but still my app is accessible using IP_ADDRESS:<PORT_NUM>. How can I solve that?
    – Suresh Prajapati
    Mar 27, 2019 at 11:21
19

You can just add a server directive before others.

server {
    listen 80;
    server_name _;
    return 404;
}
Improve this answer
3
  • Will that work if one of the other server blocks has default_server? Does _ have special meaning?
    – mpen
    Oct 28, 2017 at 19:50
  • From nginx.org/en/docs/http/server_names.html : In catch-all server examples the strange name “_” can be seen: ...There is nothing special about this name, it is just one of a myriad of invalid domain names which never intersect with any real name. Other invalid names like “--” and “!@#” may equally be used.
    – uhelp
    Feb 15, 2018 at 5:31
  • 2
    @mpen it won't work if one of the other sets default_server. _ has no special meaning, you can use anything.
    – Rick
    May 31, 2019 at 4:42
10

Neither of above helped in my case - IP connection to http works as expected but https was redirecting to alphabetically first https virtual site. What was working witn nginx below 1.19.4 was to add null certificate to block:

server {
  listen 80 default_server;
  listen [::]:80 default_server;
  listen 443 default_server;
  listen [::]:443 default_server;

  ssl_certificate /etc/ssl/null.crt;
  ssl_certificate_key /etc/ssl/null.key;

  server_name "";
  return 444;
}

Certificte can be generated with empty CN so you need no worry about fill it.

openssl req -x509 -newkey rsa:2048 -days 10000 -nodes  -subj '/CN=' -keyout null.key -out null.crt

Then http/https returns 444 (ERR_EMPTY_RESPONSE), in different configurations https returns ERR_HTTP2_PROTOCOL_ERROR with your null certificate which is also fine to show there is nothing there.

For nginx 1.19.4 it is simpler. It introduced ssl_reject_handshake on | off (http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake) you can replace certificates 'stuff' with:

server {
  listen 80 default_server;
  listen [::]:80 default_server;
  listen 443 default_server;
  listen [::]:443 default_server;

  ssl_reject_handshake on;

  server_name "";
  return 444;
}

And now you get http 444 (ERR_EMPTY_RESPONSE) and for https ERR_SSL_UNRECOGNIZED_NAME_ALERT. No null certificates are needed.

Improve this answer
2
  • 2
    Underrated answer, awesome thank you !
    – OmerFI
    Mar 7, 2023 at 22:42
  • A beautiful answer that just works!
    – Agent47DarkSoul
    Oct 9, 2023 at 21:17
6

You can use redirect, nginx config:

server {
        listen 80;`enter code here`
        server_name IP_ADDRESS;
        return 301 http://YOUR.DOMAIN;
}
Improve this answer
2
  • 1
    Welcome to Stack Overflow! Please note that while a code snippet can be a useful answer on its own, it's preferable to leave some commentary for future readers about why this solves the problem. Thanks!
    – Erty Seidohl
    May 6, 2018 at 16:24
  • The issue with this solution that you need to know IP address of your server upfront. New things (like running on distributed architectures) quite often may move your nginx to different IP's.
    – Victor Ronin
    Sep 21, 2018 at 1:39
4

you can return any error you find suitable. A list of errors can be found here List_of_HTTP_status_codes

server {
    listen      x.x.x.x:80;
    server_name x.x.x.x;
    return      404;
}
Improve this answer
2

You may try to set the server IP address in:

/etc/nginx/conf.d/default.conf

So it looks like this:

server {
    listen 80;
    server_name localhost IP.OF.VPS.HERE;

Then you can specify the subdomain vhost, like:

server {
        listen 80;
        server_name subdomain.domain.com;

And the main domain, like:

server {
        listen 80;
        server_name www.domain.com domain.com;

Then restart Nginx:

/etc/init.d/nginx restart

Each vhost should have its own *.conf file (for better organization), like:

/etc/nginx/conf.d/subdomain.domain.com.conf
/etc/nginx/conf.d/domain.com.conf
/etc/nginx/conf.d/default.conf
Improve this answer
2
  • Will all *.conf files be read automatically? Or do I need to include them somewhere?
    – luckydonald
    Dec 14, 2016 at 8:33
  • 1
    @luckydonald nginx.conf automatically includes all files under the conf.d directory with include /etc/nginx/conf.d/*.conf;
    – Ron
    Jan 14, 2018 at 8:34
2

Put this at top of your /etc/nginx/conf.d/SERVER_IP_ADDRESS.conf file and comment everything what is below it.

#disabling accesing server by ip address
server {
        listen SERVER_IP_ADDRESS:80 default;
        server_name _;
        return 404;
}

Then restart your Nginx server (on Ubuntu it is done by service nginx restart this command)

Now when you will put your server's ip address to browser url field you will get 404 error.

Improve this answer
1 
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    listen 443 default_server;
    listen [::]:443 default_server;
    return 444;
}

Don't bother supporting HTTP/2 or SSL connection for a sink. It does catch-all without those unnecesities. For the unsupported, it just refuses such connections.

See https://stackoverflow.com/a/68042877/4510033.

Improve this answer
0 
if ($http_host != "example.com") {
    return 301 https://example.com;
}
Improve this answer
0

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.