nginx configuration server_name is wrong but website is still working?

Question

I only want to allow access to my server from one domain. Lets say my domain is called "mydomain.mydomain.com" (yes, it is a subdomain).

Normally I would write everywhere server_name mydomain.mydomain.com, but I changed it to a non-existing domain and I can still enter the website? Why is my website working also from other domains? I know nginx is normally using the first server-block if no server_name is found, but my first server-block is my catch-all non-existing domain block. I defined server_name _; and default_server, but still, my website is working.

I have the following configuration:

server {
    #If server_name mydomain.mydomain.com is not found return 444
    listen 80 default_server;
    server_name _;
    return 444;
}

# redirect all traffic to https if the domain is mydomain.mydomain.com (server_name)
server {
    listen 80;
    listen [::]:80;
    #-------------------------------------------
    # I CHANGE HERE TO A NON-EXISTING DOMAIN AND MY WEBSITE IS STILL WORKING?!?!?
    #-------------------------------------------
    server_name nonExistingDomain.com;
    return 301 https://$host$request_uri;
}


server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    root /config/www;
    index index.html index.htm index.php;

    #-------------------------------------------
    # I CHANGE HERE TO A NON-EXISTING DOMAIN AND MY WEBSITE IS STILL WORKING?!?!?
    #-------------------------------------------
    server_name nonExistingDomain.com;

    # enable subfolder method reverse proxy confs
    include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    error_page 404 =200 /portal;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options "SAMEORIGIN";

    location = / {
        return 301 https://mydomain.mydomain.com/portal;
        #try_files $uri $uri/ /index.html /index.php?$args =404;
    }

    location /pea {
       proxy_set_header X-Forwarded-Host $host:$server_port;
       proxy_set_header X-Forwarded-Server $host;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_pass http://localhost:8080/pea;

       # do not pass the CORS header from the response of the proxied server to the
       # client
       #proxy_hide_header 'Access-Control-Allow-Origin';
    }

    location /portal {
       proxy_set_header X-Forwarded-Host $host:$server_port;
       proxy_set_header X-Forwarded-Server $host;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_pass http://localhost:8180/portal;
    }

    location /auth {
        proxy_set_header    Host               $host;
        proxy_set_header    X-Real-IP          $remote_addr;
        proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Host   $host;
        proxy_set_header    X-Forwarded-Server $host;
        proxy_set_header    X-Forwarded-Port   $server_port;
        proxy_set_header    X-Forwarded-Proto  $scheme;
        proxy_pass          http://localhost:8280/auth;
    }
}

Answer 1

You are listening to the IpV6 network socket in your server blocks where you change domain to non-existent. Since there are no other such server blocks, they are the default for those IPv6 ports.

Note that your first server block is default only for IPv4 network socket listen 80 default_server;.

Thus the behavior can be explained only by the fact that you are connecting/testing over IpV6.

To avoid inconsistency, use default_server for all your listen options. E.g. in the first server block add default server for IPv6 too:

server {
    #If server_name mydomain.mydomain.com is not found return 444
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 444;
}