<div dir="ltr"><div dir="ltr"></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Feb 28, 2020 at 1:21 AM Reinis Rozitis <<a href="mailto:r@roze.lv">r@roze.lv</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">> Is there a way to prevent Arbitrary HTTP Host header in Nginx? Penetration test has reported accepting arbitrary host headers. Thanks in Advance and I look forward to hearing from you.<br>
<br>
You can always define "catch all" server block with:<br>
<br>
server {<br>
listen 80 default_server;<br>
server_name _;<br>
return 444;<br>
}<br>
<br>
(444 is connection close without response)<br>
<br>
And then just add valid host names to the other server blocks.<br>
<br>
rr<br>
<br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a></blockquote><div><br></div><div>Hi Reinis,</div><div><br></div><div>I have added the below server block in /etc/nginx/nginx.conf (<a href="https://paste.centos.org/view/raw/d5e90b98">https://paste.centos.org/view/raw/d5e90b98</a>)</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">server {<br> listen 80;<br> server_name _;<br> return 444;<br>}</blockquote><div><br></div><div>When i try to run the below curl call, I am still receiving 200 OK response. </div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">#<b>curl --verbose --header 'Host: <a href="http://www.example.com">www.example.com</a>' <a href="https://developer-nonprod.example.com">https://developer-nonprod.example.com</a></b><br>> GET / HTTP/1.1<br>> Host: <a href="http://www.example.com">www.example.com</a><br>> User-Agent: curl/7.64.1<br>> Accept: */*<br>><br>< HTTP/1.1 200 OK<br>< Server: nginx<br>< Content-Type: text/html; charset=UTF-8<br>< Transfer-Encoding: chunked<br>< Connection: keep-alive<br>< X-Powered-By: PHP/7.2.27<br>< Cache-Control: must-revalidate, no-cache, private<br>< Date: Fri, 28 Feb 2020 07:02:00 GMT<br>< X-Drupal-Dynamic-Cache: MISS<br>< X-UA-Compatible: IE=edge<br>< Content-language: en<br>< X-Content-Type-Options: nosniff<br>< X-Frame-Options: SAMEORIGIN<br>< Expires: Sun, 19 Nov 1978 05:00:00 GMT<br>< Vary:<br>< X-Generator: Drupal 8 (<a href="https://www.drupal.org">https://www.drupal.org</a>)<br>< X-Drupal-Cache: MISS<br><</blockquote><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">#<b>curl --verbose --header 'Host: <a href="http://www.evil.com">www.evil.com</a>' <a href="https://developer-nonprod.example.com">https://developer-nonprod.example.com</a></b> <br>> GET / HTTP/1.1<br>> Host: <a href="http://www.evil.com">www.evil.com</a><br>> User-Agent: curl/7.64.1<br>> Accept: */*<br>><br>< HTTP/1.1 200 OK<br>< Server: nginx<br>< Content-Type: text/html; charset=UTF-8<br>< Transfer-Encoding: chunked<br>< Connection: keep-alive<br>< X-Powered-By: PHP/7.2.27<br>< Cache-Control: must-revalidate, no-cache, private<br>< Date: Fri, 28 Feb 2020 06:59:41 GMT<br>< X-Drupal-Dynamic-Cache: MISS<br>< X-UA-Compatible: IE=edge<br>< Content-language: en<br>< X-Content-Type-Options: nosniff<br>< X-Frame-Options: SAMEORIGIN<br>< Expires: Sun, 19 Nov 1978 05:00:00 GMT<br>< Vary:<br>< X-Generator: Drupal 8 (<a href="https://www.drupal.org">https://www.drupal.org</a>)<br>< X-Drupal-Cache: MISS<br><</blockquote><div><a href="https://paste.centos.org/view/raw/d5e90b98"></a><br></div><div>Any help will be highly appreciable. Thanks in Advance.</div><div><br></div><div>Best Regards,</div><div><br></div><div>Kaushal</div></div></div>