This configuration is a security measure used to create a catch-all black hole server block. Its purpose is to handle any requests that do not match a specifically defined domain name on the server.
Setup
1) Create a self-signed cert with openssl with a 10 years validity.
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
-keyout /path/to/dummy.key \
-out /path/to/dummy.crt \
-subj "/CN=_"2) Create a new server block in the Nginx config.
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name _;
ssl_certificate /path/to/dummy.crt;
ssl_certificate_key /path/to/dummy.key;
return 444;
}3) Check and restart Nginx service.
sudo nginx -t
sudo service nginx restartThe Usage
1) Many automated bots scan IP addresses directly rather than using domain names. By returning `444`, you save bandwidth and hide the fact that an active web server is running.
2) It ensures that requests with fake or unexpected `Host` headers are dropped rather than being routed to your actual application.
3) Modern HTTPS requires a certificate to complete the handshake. Without this default block, if someone hits your IP via HTTPS, Nginx might serve the certificate of a random site hosted on the same server. Using a dummy certificate ensures your "real" certificates aren't leaked to scanners.
