How to disable direct https://ipaddress visit?


#1

see title.
How to prohibit https://ipaddress visit the website or using http://ip:443?
How to configure in the docker nginx?


(Joshua Rosenfeld) #2

I can’t answer how, but I want to ask why?


#3

the reason is let all traffic go through the name server. you can only just visit from the domain name.


(Matt Palmer) #4

Step 1: get a valid certificate for your IP address.


#5

ssl was installed. https://mydomain.com can be visited. but https://myip can also be visited with the warning of certification. how to prohibit ip visition?


(Rafael dos Santos Silva) #6

Did you try this?


#7

yes,you got my point. what i mean is how to set up in discourse docker nginx,need rebuild?


(Rafael dos Santos Silva) #8

Modifing nginx conf inside the container is done trough the app.yml file.

For an example, see here.


(Matt Palmer) #9

That’s why step 1 is:

That won’t work on HTTPS sites, because all the redirection, hostname checking, etc happens after the SSL negotiation is complete.


(Kane York) #10

Wait, they want to NOT let people visit with just the IP.

Which is a little odd - exactly what harm is this doing, @doudou?


#11

just for prohibition. can this be done in system setting,like firewall?


(Matt Palmer) #12

You can’t do what you want to do using a firewall. In order to do what you want to achieve, you must first get a valid, trusted certificate for your server’s IP address. Until you have that, nothing else can be done. Talk to your preferred CA to organise that.


#13

i just want when people visit the website via https://serverip he will get an internal 500 page or nothing at all and cant go on by clicking trust the certification. so i am seaching for the solution on nginx or firewall. any sugguestion?


(Matt Palmer) #14

It can’t be done unless you have a valid, trusted cert for your IP address. This is why I keep telling you to get a valid, trusted certificate for your server’s IP address.


(Eli the Bearded) #15

Nah, I think @doudou here would be happy if, after they clicked past the bad cert warning, then they got the 500 page.

So a 99-year self-signed cert for the IP address would be fine.

One of many how-to guides for that: HowTo: Create a Self-Signed SSL Certificate on Nginx For CentOS / RHEL - nixCraft


#16

this could not be intergreted with domain name and with discourse using self sign and public CA


(Eli the Bearded) #17

With SNI, you can have multiple certificates. During the SSL negotiation the browser tells the server what name it is trying to reach, and the server returns the appropriate cert. The link I provided appeared to have instructions for SNI under nginx. Your regular site could use your regular cert.