From fd870b66be8142ec255b78a24ecd7993870347be Mon Sep 17 00:00:00 2001 From: Skyler Grey Date: Wed, 15 Oct 2025 23:21:19 +0000 Subject: [PATCH] feat(pm): block missing nginx host connections Change-Id: lppnnvqpmowyzpslvqtklqswqmypwryw We previously returned One Of The Websites when nginx was accessed from a host that we didn't know about. That included direct IP address access as well as things which have been CNAMEd to us (either through a starred record or due to past services) but which aren't actually hosted by us. This leads to a number of undesireable effects: - User confusion ("why does the aux docs website have Stalwart?") - Incorrect SSL certificates ("your blog seems to have an invalid certificate") - SSL being offered via direct IPs, which isn't possible to sign on the public internet We can block this by making a default server to take control whenever nothing matches, and setting that default server to block all connections and reject all SSL handshakes We need to have a certificate for this, but it needn't actually be valid for anything so let's self sign stuff... --- packetmix/systems/common/nginx.nix | 42 ++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 packetmix/systems/common/nginx.nix diff --git a/packetmix/systems/common/nginx.nix b/packetmix/systems/common/nginx.nix new file mode 100644 index 00000000..f91803fb --- /dev/null +++ b/packetmix/systems/common/nginx.nix @@ -0,0 +1,42 @@ +# SPDX-FileCopyrightText: 2025 FreshlyBakedCake +# +# SPDX-License-Identifier: MIT + +{ config, lib, ... }: +{ + # By default, nginx will serve a "best-effort" site even if there is no matching vhost + # We can disable this by making a matching vhost and returning 444... + # Notice how we don't enable nginx here: that makes this safe to deploy even on places that don't currently run nginx. We're effectively changing the default behavior + services.nginx.virtualHosts."missinghost.invalid" = { + default = true; + + addSSL = true; + enableACME = true; + acmeRoot = null; + + locations."/".return = "444"; + + extraConfig = '' + ssl_reject_handshake on; + ''; + }; + + systemd.services."acme-missinghost.invalid".enable = false; + systemd.timers."acme-missinghost.invalid".enable = false; + + systemd.targets."acme-finished-missinghost.invalid" = { + requires = lib.mkForce [ "acme-selfsigned-missinghost.invalid.service" ]; + after = lib.mkForce [ "acme-selfsigned-missinghost.invalid.service" ]; + }; + + security.acme.acceptTerms = true; + security.acme.certs = lib.mkIf config.services.nginx.enable { + "missinghost.invalid" = { + dnsProvider = null; + listenHTTP = null; + s3Bucket = null; + webroot = "/dev/null"; + email = "invalid@missinghost.invalid"; + }; # Nix requires some values, even if we're actually disabling the acme-missinghost.invalid service... that's problematic if there are no defaults for the system + }; +} -- 2.43.0