eallrich
commented
9 years ago Because of the ALLOWED_HOSTS envvar, Django throws an exception (SuspiciousOperation) when any non-configured Hosts are requested. If SSL is enabled, be sure to also modify the default_server block in nginx to catch invalid hosts requested over SSL and prevent them from reaching Django.
There's an important difference in the HTTPS catch-all server block compared to the HTTP catch-all, though: SSL initiation happens before the hostname is selected, so the default_server needs to provide a certificate [0][1]. Assuming we're okay with using a self-signed certificate to be able to respond with 404s when clients ask for non-served hostnames [2], it's simple enough to create a self-signed cert.
$ sudo openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout /etc/ssl/selfsign.key -out /etc/ssl/selfsign.crtThen reference the self-signed cert in the default_server block (handling both HTTP and HTTPS) [3].
server {
listen 80;
listen 443 ssl default_server;
server_name _;
ssl_certificate /etc/ssl/selfsign.crt;
ssl_certificate_key /etc/ssl/selfsign.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
return 404;
}[0] http://serverfault.com/a/578784 [1] http://stackoverflow.com/a/26956381 [2] Since a user will have to click through a certificate warning anyway (they're trying to get to a domain we're not serving: there won't be a valid certificate), a self-signed certificate isn't going to be any more of a hassle. [3] http://serverfault.com/a/10937
Once Let's Encrypt reaches GA, integrate getting certificates so that it can happen automatically along with the rest of the setup process.