0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
JPPINTO
  • Home
  • Blog
  • Certifications
  • About
  • Contact
  • Shop
  • Gallery
  • Current Setup
Contact

Search

July 3, 2026 / Linux, Servers, Ubuntu

Create an Nginx Default Catch-All Site on Ubuntu

Tags: linux, nginx, server setup, ssl, ubuntu, web server
Featured image for Create an Nginx Default Catch-All Site on Ubuntu

When Nginx receives a request for an unknown domain, it may serve the first enabled site if there is no explicit default server. On a server with multiple WordPress sites or web apps, that can expose the wrong site for a domain that is not configured.

A default catch-all site fixes this by handling unmatched HTTP and HTTPS requests before they fall through to a real site.

What the Script Does

The deployment script this article is based on:

  • Creates /etc/nginx/sites-available/000-catch-all.conf.
  • Enables it with a symlink in /etc/nginx/sites-enabled/.
  • Removes Ubuntu's default enabled site if present.
  • Supports a dry run mode.
  • Requires confirmation before making changes.
  • Backs up existing files.
  • Runs nginx -t.
  • Rolls back if validation fails.
  • Reloads Nginx only after validation succeeds.

Why a Catch-All Site Helps

Without a catch-all, an unknown hostname can accidentally show whichever Nginx server block is first.

That can cause problems such as:

  • A staging site responding to the wrong hostname.
  • A WordPress site appearing for unrelated DNS records.
  • SSL confusion when an unmatched HTTPS request reaches a real site.
  • Extra noise in access logs.

The catch-all gives Nginx a deliberate default.

Create the Catch-All Config

Create the file:

sudo nano /etc/nginx/sites-available/000-catch-all.conf

Add:

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;

    return 444;
}

server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
    server_name _;

    ssl_reject_handshake on;
}

For HTTP, return 444 tells Nginx to close the connection without sending a normal response.

For HTTPS, ssl_reject_handshake on; rejects unmatched TLS handshakes instead of serving a certificate for the wrong site.

Enable the Catch-All Site

Create the symlink:

sudo ln -sfn /etc/nginx/sites-available/000-catch-all.conf /etc/nginx/sites-enabled/000-catch-all.conf

If the default Ubuntu site is still enabled, back it up and remove the enabled symlink:

sudo mkdir -p /opt/server-backups/nginx
timestamp="$(date +%Y%m%d%H%M%S)"

if [ -e /etc/nginx/sites-enabled/default ] || [ -L /etc/nginx/sites-enabled/default ]; then
    sudo cp -a /etc/nginx/sites-enabled/default "/opt/server-backups/nginx/sites-enabled-default.before.${timestamp}.bak"
    sudo rm -f /etc/nginx/sites-enabled/default
fi

Validate and Reload

Test the config:

sudo nginx -t

If validation succeeds, reload Nginx:

sudo systemctl reload nginx

If validation fails, remove the catch-all symlink and restore your backup before reloading.

Safer Script Pattern

For production servers, use a script pattern with explicit flags:

sudo bash ./fix-nginx-catch-all.sh --dry-run
sudo bash ./fix-nginx-catch-all.sh --confirm

A --dry-run mode lets you preview changes. A --confirm flag prevents accidental changes when someone runs the script without reading it.

You can also support a no-reload option:

sudo bash ./fix-nginx-catch-all.sh --confirm --no-reload

That is useful if you want a deployment system to validate now and reload Nginx later.

Test the Result

After reloading Nginx, test an unmatched HTTP host:

curl -I -H "Host: unknown.example.com" http://127.0.0.1/

For HTTPS, test with a hostname that should not match a real site:

curl -k -I --resolve unknown.example.com:443:127.0.0.1 https://unknown.example.com/

The exact client output can vary, but the important result is that the request should not serve one of your real websites.

Quick Reference

sudo nginx -t
sudo ln -sfn /etc/nginx/sites-available/000-catch-all.conf /etc/nginx/sites-enabled/000-catch-all.conf
sudo systemctl reload nginx

A default catch-all site is a small Nginx hardening step. It makes unmatched domains fail intentionally instead of drifting into the first configured website.

Post Views: 38
<- Install and Configure Redis on Ubuntu for Local Object Cache

Categories

  • Active Directory (5)
  • AI (2)
  • Amazon Cloud Services (1)
  • Blazor (1)
  • C# (C-Sharp) (3)
  • CI/CD Pipelines (1)
  • Containers (4)
  • Deployment (2)
  • Development (4)
  • Docker (3)
  • General (5)
  • IIS 6.0 (4)
  • IIS 7.0 (10)
  • IIS 8.0 (1)
  • Infrastructure as Code (IaC) (1)
  • Kubernetes (3)
  • Linux (8)
  • Microsoft 365 (2)
  • MySQL (1)
  • Office 2010 (1)
  • PHP (1)
  • PowerShell (7)
  • Productivity (1)
  • Servers (8)
  • SharePoint 2007 (8)
  • SharePoint 2010 (19)
  • SharePoint 2013 (2)
  • SharePoint Online (1)
  • SMTP (4)
  • SQL Server 2008 (1)
  • SQL Server 2008 R2 (1)
  • SQL Server 2012 (2)
  • SQL Server 2019 (1)
  • Ubuntu (8)
  • Uncategorized (1)
  • URL Rewrite (2)
  • Visual Studio 2019 (1)
  • Visual Studio Code (1)
  • Windows 10 (5)
  • Windows 2003 (9)
  • Windows 2008 (18)
  • Windows 2012 (6)
  • Windows 7 (3)
  • Windows Firewall (1)
  • Windows Vista (1)
  • WordPress (3)
  • WP-CLI (3)

Recent Posts

  • Create an Nginx Default Catch-All Site on Ubuntu
  • Install and Configure Redis on Ubuntu for Local Object Cache
  • Install and Configure MySQL on Ubuntu for WordPress
  • Install PHP-FPM and Common PHP Extensions on Ubuntu
  • Install and Tune Nginx on Ubuntu for Web Hosting

Advertisement

Tags

ai coding agents bash developer workflow dev to production exe permissions externalize blob externalize sharepoint data filezilla server firewall rules filazilla full installation http redirect https https redirect IIS iis7 iis 7 installation IIS installation index server configuration installing cumulative updates linux load balance central administration microsoft 365 nginx nlb powerpoint powershell redirect http to https server setup sharepoint 2010 cumulative updates sharepoint 2010 farm build sharepoint 2010 farm configuration sharepoint 2010 farm installation sharepoint data externalization SMTP storagepoint ubuntu web server windows Windows 7 windows firewall configuration windows server 2008 wlbs wordpress wp-cli x86
© 2026 JPPinto.com. All rights reserved.