Merge branch 'fix/nginx-ssl-sni' into staging/fixes

Kristan Kenney · Kristan Kenney · commit 86b06ef79308 · 2020-10-30T03:32:04.000-03:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -21,7 +21,7 @@ All notable changes to this project will be documented in this file.
 - Fixed an issue where a `no backend template doesn't exist` could potentially would appear after upgrade with older templates (#1322).
 - Introduced caching templates for nginx + php-fpm configurations  - thanks **@cmstew**!
 - Fixed an issue where DNS cluster updates could fail due to the format of a DKIM record in an available zone - thanks **@jrohde**!
-
+- Improved the behavior of nginx SSL SNI detection to reject connections for domains which have no SSL certificate - thanks **@myrevery**! 
 
 ## [1.3.0] - Major Release (Feature / Quality Update)
 ### Features
diff --git a/install/deb/nginx/unassigned.inc b/install/deb/nginx/unassigned.inc
@@ -37,6 +37,7 @@ server {
     server_name _;
     ssl_certificate      /usr/local/hestia/ssl/certificate.crt;
     ssl_certificate_key  /usr/local/hestia/ssl/certificate.key;
+    ssl_reject_handshake on;
 
     return 301 http://$host$request_uri;
 
diff --git a/install/deb/templates/web/nginx/proxy_ip.tpl b/install/deb/templates/web/nginx/proxy_ip.tpl
@@ -13,10 +13,11 @@ server {
 }
 
 server {
-    listen      %ip%:%proxy_ssl_port% ssl http2;
+    listen      %ip%:%proxy_ssl_port% ssl http2 default;
     server_name _;
     ssl_certificate      /usr/local/hestia/ssl/certificate.crt;
     ssl_certificate_key  /usr/local/hestia/ssl/certificate.key;
+    ssl_reject_handshake on;
 
     return 301 http://$host$request_uri;
 
diff --git a/install/upgrade/versions/1.3.1.sh b/install/upgrade/versions/1.3.1.sh
@@ -5,3 +5,14 @@
 #######################################################################################
 #######                      Place additional commands below.                   #######
 #######################################################################################
+
+# Update nginx configuration to block connections for unsigned (no SSL certificate) domains
+for ipaddr in $(ls /usr/local/hestia/data/ips/ 2>/dev/null); do
+    web_conf="/etc/$PROXY_SYSTEM/conf.d/$ipaddr.conf"
+
+    if [ "$PROXY_SYSTEM" = "nginx" ]; then
+        echo "[ * ] Hardening nginx SSL SNI configuration..."
+        cp -f $HESTIA_INSTALL_DIR/nginx/unassigned.inc $web_conf
+        sed -i 's/directIP/'$ipaddr'/g' $web_conf
+    fi
+done
