diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index f077ce07..046dce9f 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -97,8 +97,15 @@ http {
     }
 
     server {
-        listen 80 backlog=4096;
-        listen [::]:80 backlog=4096;
+        listen 80 default_server backlog=4096;
+        listen [::]:80 default_server backlog=4096;
+        keepalive_timeout 0;
+        return 404;
+    }
+
+    server {
+        listen 80;
+        listen [::]:80;
         server_name grapheneos.org mta-sts.grapheneos.org www.grapheneos.org grapheneos.app mta-sts.grapheneos.app www.grapheneos.app grapheneos.ca mta-sts.grapheneos.ca www.grapheneos.ca grapheneos.com mta-sts.grapheneos.com www.grapheneos.com grapheneos.dev mta-sts.grapheneos.dev www.grapheneos.dev grapheneos.info mta-sts.grapheneos.info www.grapheneos.info grapheneos.net mta-sts.grapheneos.net www.grapheneos.net grapheneos.ovh mta-sts.grapheneos.ovh www.grapheneos.ovh grapheneos.page  mta-sts.grapheneos.page www.grapheneos.page vanadium.app mta-sts.vanadium.app www.vanadium.app mta-sts.mail.grapheneos.org;
 
         root /var/empty;
@@ -129,8 +136,14 @@ http {
     }
 
     server {
-        listen 443 ssl http2 backlog=4096;
-        listen [::]:443 ssl http2 backlog=4096;
+        listen 443 default_server ssl backlog=4096;
+        listen [::]:443 default_server ssl backlog=4096;
+        ssl_reject_handshake on;
+    }
+
+    server {
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
         server_name www.grapheneos.org grapheneos.app www.grapheneos.app grapheneos.ca www.grapheneos.ca grapheneos.com www.grapheneos.com grapheneos.dev www.grapheneos.dev grapheneos.info www.grapheneos.info grapheneos.net www.grapheneos.net grapheneos.ovh www.grapheneos.ovh grapheneos.page www.grapheneos.page;
 
         root /var/empty;