server {
listen 443 ssl default_server;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name your.domain;
ssl_certificate your.domain.crt;
ssl_certificate_key your.domain.key;
}Check it out:
curl https://your.domain -I(k)Oops, TLSv1.3 is missing.
Enable ssl_reject_handshake crashes TLSv1.3, actually we can create key and cert for default server
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /path/to/localhost-rsa.key -out /path/to/localhost-rsa.crt
openssl req -x509 -nodes -days 3650 -newkey ec:<(openssl ecparam -name secp256r1) -keyout /path/to/localhost-ecc.key -out /path/to/localhost-ecc.crtThis is OK:
server {
listen 80 default_server;
server_name _;
access_log off;
return 444;
}
server {
listen 443 ssl default_server;
server_name _;
access_log off;
ssl_reject_handshake on;
ssl_certificate path/to/localhost-rsa.crt;
ssl_certificate_key path/to/localhost-rsa.key;
ssl_certificate path/to/localhost-ecc.crt;
ssl_certificate_key path/to/localhost-ecc.key;
}
server {
listen 443 ssl;
server_name your.domain;
ssl_certificate your.domain.crt;
ssl_certificate_key your.domain.key;
}Or https with http together:
server {
listen 80 default_server;
listen 443 ssl default_server;
server_name _;
access_log off;
ssl_reject_handshake on;
ssl_certificate /etc/nginx/ssl/localhost.crt-rsa;
ssl_certificate_key /etc/nginx/ssl/localhost.key-rsa;
ssl_certificate /etc/nginx/ssl/localhost.crt-ecc;
ssl_certificate_key /etc/nginx/ssl/localhost.key-ecc;
return 444;
}
server {
listen 443 ssl;
server_name your.domain;
ssl_certificate your.domain.crt;
ssl_certificate_key your.domain.key;
}Check it out
curl https://your.domain -I(k)
curl https://some.fake.domain --resolve 'some.fake.domain:443:your.server.ip.address' -Ik