首先 if is evil
https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/我想阁下现在遇到的问题是请求任何`非`列出来的这些子域时(例如`curl -I `Host:
example.com` -v http://您的服务端 IP`)仍然会匹配这个 block 导致进入`return 301 https://$host$request_uri`
如果您所有的 nginx.conf 文件中只有这一个 server block 那么文档
http://nginx.org/en/docs/http/request_processing.html 对此早有预言
> If its value does not match any server name, or the request does not contain this header field at all, then nginx will route the request to the default server for this port. In the configuration above, the default server is the first one — which is nginx’s standard default behaviour
要想在 80 和 443 上搭建正确的 default http(s) server 您可以参考
https://serverfault.com/questions/847978/best-practice-to-handle-default-server-and-public-ip-in-nginx一个常见错误是只设置了 port80 的 default server ,导致使用 http 或 https 协议请求 443 (或其他)端口时仍然会绕过 default server (因为 default 是针对单个 listen 端口的)
http://nginx.org/en/docs/http/ngx_http_core_module.html#listen 进一步指出:
> The default_server parameter, if present, will cause the server to become the default server for the specified address:port pair. If none of the directives have the default_server parameter then the first server with the address:port pair will be the default server for this pair.
```nginx
server {
listen 80 fastopen=256 default_server;
listen 443 fastopen=256 ssl default_server;
server_name _ "";
access_log path/to/log/default.access.log;
error_log path/to/log/default.error.log;
ssl_certificate /etc/nginx/snippets/self-signed-ssl.crt; # 使用 openssl 生成的自签名证书
https://stackoverflow.com/questions/10175812/how-to-generate-a-self-signed-ssl-certificate-using-openssl ssl_certificate_key /etc/nginx/snippets/self-signed-ssl.key;
return 444; #
https://nginx.org/en/docs/http/ngx_http_rewrite_module.html#return The non-standard code 444 closes a connection without sending a response header.
https://www.reddit.com/r/Network/comments/e8aveo/nginx_explain_http_444_like_im_five/}