nginx domain leak

EdwardG

Live

The current default and catchall config in nginx causes domain leak. maybe create a 000-catchall like

server {
  listen 80 default_server;
  listen [::]:80 default_server;
  listen 443 ssl default_server;
  listen [::]:443 ssl default_server;
  server_name _;
  server_tokens off;

  ssl_reject_handshake on;

  return 444;
}

and also remove the default since no longer needed!?

Dennis

· 2 days ago

I need a bit more context on this. A domain leak? How does it leak your domains?

no votes yet

EdwardG

Item author

· 1 day ago

Imagine you have 10 sites on the server. When you visit the public IP of the server, nginx server the first site and not throwing 444.

Also kinda similar situation with site with ssl and no ssl

no votes yet

Ivo Pereira

· 2 days ago

@Dennis I am not sure if it is what he refers to, but at least myself I've faced a similar situation.

Lets say you configure a domain for a site with multiple tenantes, but the tenant isn’t added yet to Ploi (so there’s no nginx config for it, so anyone accessing that domain will get the default server configuration until you add the tenant - leaking the default/catchall nginx server conf.

Let me know it makes sense.

no votes yet

nginx domain leak

12/13/2025 12:46:50 AM

1 total vote

Dennis moved item to board Live
1 day ago
Dennis moved item to board In progress
1 day ago
EdwardG moved item to project Bugs
2 days ago
EdwardG created the item
2 days ago

ESC

Quick Actions

Activity

View recent activity and updates

Use arrow keys to navigate