Problem

Piku's nginx.default.dist only defines default_server for HTTP (port 80), not HTTPS (port 443). This means the first Piku app with SSL becomes the implicit default for all HTTPS traffic, accepting requests for any domain pointing to the server.

Example:

• Configured: a.example.com → App A
• Unconfigured: random-domain.example.com → Also served by App A ❌

This is a security issue as apps unintentionally respond to arbitrary domains.

Proposed Fix

1. Update nginx.default.dist:

server {
	listen 80 default_server;
	listen [::]:80 default_server;
	root /var/www/html;
	index index.html index.htm;
	server_name _;
	location / {
		try_files $uri $uri/ =404;
	}
}

# Reject unmatched HTTPS domains
server {
	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server;
	
	ssl_certificate /etc/piku/ssl/default.crt;
	ssl_certificate_key /etc/piku/ssl/default.key;
	
	server_name _;
	return 444;
}

include /home/piku/.piku/nginx/*.conf;

2. Generate default cert during Piku installation (in setup script):

mkdir -p /etc/piku/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
  -keyout /etc/piku/ssl/default.key \
  -out /etc/piku/ssl/default.crt \
  -subj '/CN=_'