Blocking access over port 80 with nginx 444 results in 520 error

I’m trying to disable my website on port 80, despite only having listen 443 on my server blocks on nginx, it was still being accessed on port 80 so I added this

server {
listen 80 default_server;
return 444;
}

However now users get a 520 unknown error when accessing the domain with http, while I’d prefer that they get no answer at all.

What is the best recommended way to do this?

On your server side you simply need to make sure nothing is listening on port 80.

On Cloudflare’s side you need to make sure your encryption mode is “Full strict” and “Always use HTTPS” is enabled.

I can’t enable always use https since I have other domains that still use http.

I don’t understand how my website was being accessed over port 80 either…

 server {
         listen 443 ssl;
     
        server_name subdomain.com;
}

server {

    listen 80;
    listen 443 ssl;
    server_name subdomain2.com;
}

Are my only 2 other server blocks, and I still could access subdomain.com on http somehow

That setting is domain specific and does not apply across your entire account.

Your server or the proxies? The proxies will always listen on 80. Your server seems to do so too, just for another domain.

I have other subdomains that need to be talk in http too

Your server or the proxies? The proxies will always listen on 80. Your server seems to do so too, just for another domain.

I listen on port 80 for another subdomain…so it shouldn’t talk anything if you are requesting other domain on port 80

You mean you have records on that very domain where you still want HTTP? Then you cannot use the global setting but you should set it via a page rule.

Yes…that’s why it’s complicated :frowning:

Then we have the solution above :smile:

Then cloudflare would still redirect to the https, telling the bots that there is a website there…

I don’t know… I’m trying to protect against scans and bots so isn’t better to just don’t answer to them?


What do you mean ?

Exactly what I was saying. What is unclear about that statement?

You are saying that no matter what I do on my server, if I have cloudflare CDN, a answer will always be given on port 80?

Exactly, your server configuration is irrelevant. Cloudflare will always use 80 and hence my suggestion with the redirect.

OK.

Other than using iptables to only allow cloudflare ips to reach port 80 and 443, is there anything else I can do server-side to prevent leaking information or talking to other servers?

I am not sure what you mean. If you dont want port 80 on your server it is better not to configure it in the first place than to prevent connections to an active service.

But this is now already beyond Cloudflare :slight_smile:

This topic was automatically closed after 30 days. New replies are no longer allowed.