Merge pull request hestiacp#1316 from myrevery/main

[Security] Avoid SNI leak (for the server)

Author: Kristan Kenney

install/deb/nginx/unassigned.inc

@@ -37,6 +37,7 @@ server {
     server_name _;
     ssl_certificate      /usr/local/hestia/ssl/certificate.crt;
     ssl_certificate_key  /usr/local/hestia/ssl/certificate.key;
+    ssl_reject_handshake on;
 
     return 301 http://$host$request_uri;
 

install/deb/templates/web/nginx/proxy_ip.tpl

@@ -13,10 +13,11 @@ server {
 }
 
 server {
-    listen      %ip%:%proxy_ssl_port% ssl http2;
+    listen      %ip%:%proxy_ssl_port% ssl http2 default;
     server_name _;
     ssl_certificate      /usr/local/hestia/ssl/certificate.crt;
     ssl_certificate_key  /usr/local/hestia/ssl/certificate.key;
+    ssl_reject_handshake on;
 
     return 301 http://$host$request_uri;