diff --git a/setup/start/nginx/appconfig.ejs b/setup/start/nginx/appconfig.ejs
index 81ce74832..85d4c787a 100644
--- a/setup/start/nginx/appconfig.ejs
+++ b/setup/start/nginx/appconfig.ejs
@@ -4,6 +4,41 @@ map $http_upgrade $connection_upgrade {
     '' close;
 }
 
+# http server
+server {
+    listen       80;
+<% if (hasIPv6) { -%>
+    listen       [::]:80;
+<% } -%>
+
+<% if (vhost) { -%>
+    server_name  <%= vhost %>;
+<% } else { -%>
+    # IP based access. TODO: match the IPv6 address
+    server_name  "~^\d+\.\d+\.\d+\.\d+$";
+
+    # collectd
+    location /nginx_status {
+        stub_status on;
+        access_log off;
+        allow 127.0.0.1;
+        deny all;
+    }
+
+    # acme challenges
+    location /.well-known/acme-challenge/ {
+        default_type text/plain;
+        alias /home/yellowtent/platformdata/acme/;
+    }
+<% } -%>
+
+    location / {
+        # redirect everything to HTTPS
+        return 301 https://$host$request_uri;
+    }
+}
+
+# https server
 server {
 <% if (vhost) { -%>
     server_name  <%= vhost %>;
diff --git a/setup/start/nginx/nginx.conf b/setup/start/nginx/nginx.conf
index 9d2a12a26..4511e5318 100644
--- a/setup/start/nginx/nginx.conf
+++ b/setup/start/nginx/nginx.conf
@@ -36,28 +36,15 @@ http {
     # zones for rate limiting
     limit_req_zone $binary_remote_addr zone=admin_login:10m rate=10r/s; # 10 request a second
 
-    # HTTP server
+
+    # default http server that returns 404 for any domain we are not listening on
     server {
-        listen      80;
-        listen      [::]:80;
-
-        # collectd
-        location /nginx_status {
-            stub_status on;
-            access_log off;
-            allow 127.0.0.1;
-            deny all;
-        }
-
-        # acme challenges
-        location /.well-known/acme-challenge/ {
-            default_type text/plain;
-            alias /home/yellowtent/platformdata/acme/;
-        }
+        listen      80 default_server;
+        listen      [::]:80 default_server;
+        server_name does_not_match_anything;
 
         location / {
-            # redirect everything to HTTPS
-            return 301 https://$host$request_uri;
+            return 404;
         }
     }
 
diff --git a/src/infra_version.js b/src/infra_version.js
index bb62805bf..36c321cd9 100644
--- a/src/infra_version.js
+++ b/src/infra_version.js
@@ -7,7 +7,7 @@
 exports = module.exports = {
     // a major version makes all apps restore from backup. #451 must be fixed before we do this.
     // a minor version makes all apps re-configure themselves
-    'version': '48.6.0',
+    'version': '48.7.0',
 
     'baseImages': [ 'cloudron/base:0.10.0' ],