(Custom) domain with no certificate still serves https about deis HOT 7 CLOSED

Note the app which serves HTTPs is just the first application in the nginx configuration with a certificate; this feels rather arbitrary.

Note that I am personally confused by this nginx behaviour as the server_name clearly states it should not serve that request.

So the easiest solution(it seems) would be to prepend a fallback server entry with a self signed certificate for a nonsense domain (eg localhost) which then serves a hardcoded 404. This will (obviously) still trigger the browser warnings about wrong certificate (and/or self signed certificate) but at least would not confuse users by sending traffic to the wrong application.

from deis.

@nathansamson can you post the nginx.conf inside the router for debugging? I'm fairly certain this is already fixed in v2, and the issue here in v1 is simply due to the hard-to-test templating logic.

from deis.

@bacongobbler I've sent you an email with requested config.

I shared this privately with you because it contains domain names which you can guess our clients of which I prefer not to have in public. Feel free to share internally with your collegues when needed, as I have anonymized the most important data anyway.

Please let me know if you need anything else.

I am happy to test a test router image if needed as well

from deis.

@bacongobbler Did you have any chance to look at this?

If not can you give a hint of how a typical server entry is supposed to loolk (both https and non https enabled); and (if any) global config entries are needed?

from deis.

Sorry, I wasn't able to see anything out of the ordinary. I don't believe this is an issue on v2, just with v1.

from deis.

So the reason this happens is that when a default virtualhost isn't specifically identified (for a given port; in this case 443), the first virtualhost automatically becomes the default.

fwiw, this exact behavior was reported early on for router v2 and was solved using the exact solution suggested here. We explicitly designated a default virtualhost with a self-signed cert. This became a "junk drawer" for responding with a 404 to requests that didn't match some other non-default vhost / application.

I'll leave it up to @bacongobbler and @mboersma whether they think it is worth backporting that improvement to Deis v1.x.

from deis.

Deis v1 LTS support ends February 13, 2017, and v1.13.4 is intended to be the last official release, so I'm closing this.

Please see Deis Workflow, the documentation / hub repository for the next-generation PaaS.

from deis.