diff --git a/confs/global/multisite-disable-default-server-https.conf b/confs/global/multisite-disable-default-server-https.conf
new file mode 100644
index 0000000..579d8c2
--- /dev/null
+++ b/confs/global/multisite-disable-default-server-https.conf
@@ -0,0 +1,10 @@
+listen 0.0.0.0:%HTTPS_PORT% default_server ssl %HTTP2%;
+ssl_certificate /etc/nginx/default-cert.pem;
+ssl_certificate_key /etc/nginx/default-key.pem;
+ssl_protocols %HTTPS_PROTOCOLS%;
+ssl_prefer_server_ciphers off;
+ssl_session_tickets off;
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;
+%SSL_DHPARAM%
+%SSL_CIPHERS%
diff --git a/confs/global/multisite-disable-default-server.conf b/confs/global/multisite-disable-default-server.conf
new file mode 100644
index 0000000..1cf8c08
--- /dev/null
+++ b/confs/global/multisite-disable-default-server.conf
@@ -0,0 +1,6 @@
+server {
+	%LISTEN_HTTP%
+	%USE_HTTPS%
+	server_name _;
+	return 444;
+}
diff --git a/confs/global/nginx.conf b/confs/global/nginx.conf
index 6033f82..7137413 100644
--- a/confs/global/nginx.conf
+++ b/confs/global/nginx.conf
@@ -100,6 +100,9 @@ http {
 	# custom http confs
 	include /http-confs/*.conf;
 
+	# disable default server when MULTISITE=yes
+	%MULTISITE_DISABLE_DEFAULT_SERVER%
+
 	# server config(s)
 	%INCLUDE_SERVER%
 }
diff --git a/entrypoint/global-config.sh b/entrypoint/global-config.sh
index 7eb3106..3696bdb 100644
--- a/entrypoint/global-config.sh
+++ b/entrypoint/global-config.sh
@@ -206,6 +206,34 @@ fi
 list=$(spaces_to_lua "$DNSBL_LIST")
 replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list"
 
+# disable default site
+if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] && [ "$MULTISITE" = "yes" ] ; then
+	replace_in_file "/etc/nginx/nginx.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" "include /etc/nginx/multisite-disable-default-server.conf;"
+	replace_in_file "/etc/nginx/multisite-disable-default-server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:${HTTP_PORT} default_server;"
+	if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] || [ "$(has_value USE_CUSTOM_HTTPS yes)" != "" ] || [ "$(has_value GENERATE_SELF_SIGNED_SSL yes)" != "" ] ; then
+		replace_in_file "/etc/nginx/multisite-disable-default-server.conf" "%USE_HTTPS%" "include /etc/nginx/multisite-disable-default-server-https.conf;"
+		replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%HTTPS_PORT%" "$HTTPS_PORT"
+		if [ "$(has_value HTTP2 yes)" != "" ] ; then
+			replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%HTTP2%" "http2"
+		else
+			replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%HTTP2%" ""
+		fi
+		replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%HTTPS_PROTOCOLS%" "$HTTPS_PROTOCOLS"
+		if [ "$(echo $HTTPS_PROTOCOLS | grep TLSv1.2)" != "" ] ; then
+			replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%SSL_DHPARAM%" "ssl_dhparam /etc/nginx/dhparam;"
+			replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%SSL_CIPHERS%" "ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;"
+		else
+			replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%SSL_DHPARAM%" ""
+			replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%SSL_CIPHERS%" ""
+		fi
+		openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/default-key.pem -out /etc/nginx/default-cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
+	else
+		replace_in_file "/etc/nginx/multisite-disable-default-server.conf" "%USE_HTTPS%" ""
+	fi
+else
+	replace_in_file "/etc/nginx/nginx.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" ""
+fi
+
 # fail2ban setup
 if [ "$(has_value USE_FAIL2BAN yes)" != "" ] ; then
 	echo "" > /etc/nginx/fail2ban-ip.conf
diff --git a/entrypoint/site-config.sh b/entrypoint/site-config.sh
index 855ce2b..8bddcba 100644
--- a/entrypoint/site-config.sh
+++ b/entrypoint/site-config.sh
@@ -235,14 +235,10 @@ else
 fi
 
 # disable default server
-if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] ; then
+if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] && [ "$MULTISITE" != "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%DISABLE_DEFAULT_SERVER%" "include ${NGINX_PREFIX}disable-default-server.conf;"
-	if [ "$MULTISITE" == "yes" ] ; then
-		replace_in_file "${NGINX_PREFIX}disable-default-server.conf" "%SERVER_NAME%" "$1"
-	else
-		SERVER_NAME_PIPE=$(echo $SERVER_NAME | sed "s/ /|/g")
-		replace_in_file "${NGINX_PREFIX}disable-default-server.conf" "%SERVER_NAME%" "$SERVER_NAME_PIPE"
-	fi
+	SERVER_NAME_PIPE=$(echo $SERVER_NAME | sed "s/ /|/g")
+	replace_in_file "${NGINX_PREFIX}disable-default-server.conf" "%SERVER_NAME%" "$SERVER_NAME_PIPE"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%DISABLE_DEFAULT_SERVER%" ""
 fi