Filtering out long (invalid) hostnames

Ondrej Jombik jombik at
Sat Nov 9 20:44:52 UTC 2013

Recently we have seen some kind of hacker attempt on our hosting
servers, passing very long hostnames in the HTTP Host: header. That
means length(hostname) was higher than 2000, for few requests even more
than 10000.

This was processed well by nginx, passed further to our upstreams, what
caused only little trouble there: logs were filled with a lot of

After bit of investigation, I have found that according to RFC, the
longest domain name should not be more than 253 characters. Also,
splitting domain into labels (labels are strings between dots), each
label should not exceed 63 characters.

For more info:
(search for "Domain name syntax" part)

That raises question how nginx handles this kind of long hostnames, and
why it still pasess those invalid hostnames to backends (upstreams).

However it still passes it, and we want to filter that out. Because the
performance matters us much, we want to do that the best possible way.

CASE #1:

     if ($host ~* "^.{254,}$") {
         return 403;

CASE #2: (this is probably more efficient)

     server {
         server_name     "~^.{254,}$";
         listen 80;
         return 403;

Case #2 is probably more efficient, but in both cases are regular
expressions used. Would it matter if we put that server {} block at the
end of our server list?

Also would it make any sense to check for a dot (\.) in a server_name or
$host, and when not dot is present, return 403 as well?

Thanks for sharing your thoughts


Platon Technologies s.r.o., Hlavna 3, Sala SK-92701
+421 903 PLATON - info at -

My current location: Phoenix, Arizona
My current timezone: -0700 UTC (MST)
(updated automatically)

More information about the nginx mailing list