Thursday, October 24, 2013

Remember to have a "catch-all" in your nginx configuration when using virtual domains

I got a bit stressed when I saw that a beta for a service I am working on was out in the open. I checked every config file and firewalls, and could not see why the site would respond to a different domain and the ip, when the server_name in nginx was set.

I cannot stress this enough: You need a catch-all in your nginx config!

If you do not have a server config block to catch all "none-virtual" domains, nginx just picks the first available configuration. Quite different from what I was used to with apache. And if you have private and public sites on a mixed box, that might be mission-critical if sensitive data gets out...

So do yourself a favor and throw this into your nginx config before the virtual hosts are loaded:

 server {
  root /usr/share/nginx/www;
  index index.html index.htm;

  location / {
    try_files $uri $uri/ /404.htm =404;

 # Virtual Host Configs
        # .... 

Without the above settings, your site will be accessible on any domain pointing to the server, and any IP the server hosts.