Prevent Arbitary HTTP Host header in nginx

Kaushal Shriyan kaushalshriyan at gmail.com
Fri Feb 28 07:23:25 UTC 2020


On Fri, Feb 28, 2020 at 1:21 AM Reinis Rozitis <r at roze.lv> wrote:

> > Is there a way to prevent Arbitrary HTTP Host header in Nginx?
> Penetration test has reported accepting arbitrary host headers. Thanks in
> Advance and I look forward to hearing from you.
>
> You can always define "catch all" server block with:
>
> server {
>     listen       80  default_server;
>     server_name  _;
>     return       444;
> }
>
> (444 is connection close without response)
>
> And then just add valid host names to the other server blocks.
>
> rr
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx


Hi  Reinis,

I have added the below server block in /etc/nginx/nginx.conf (
https://paste.centos.org/view/raw/d5e90b98)

server {
>     listen       80;
>     server_name  _;
>     return       444;
> }


When i try to run the below curl call, I am still receiving 200 OK
response.

#*curl --verbose --header 'Host: www.example.com <http://www.example.com>'
> https://developer-nonprod.example.com
> <https://developer-nonprod.example.com>*
> > GET / HTTP/1.1
> > Host: www.example.com
> > User-Agent: curl/7.64.1
> > Accept: */*
> >
> < HTTP/1.1 200 OK
> < Server: nginx
> < Content-Type: text/html; charset=UTF-8
> < Transfer-Encoding: chunked
> < Connection: keep-alive
> < X-Powered-By: PHP/7.2.27
> < Cache-Control: must-revalidate, no-cache, private
> < Date: Fri, 28 Feb 2020 07:02:00 GMT
> < X-Drupal-Dynamic-Cache: MISS
> < X-UA-Compatible: IE=edge
> < Content-language: en
> < X-Content-Type-Options: nosniff
> < X-Frame-Options: SAMEORIGIN
> < Expires: Sun, 19 Nov 1978 05:00:00 GMT
> < Vary:
> < X-Generator: Drupal 8 (https://www.drupal.org)
> < X-Drupal-Cache: MISS
> <


#*curl --verbose --header 'Host: www.evil.com
> <http://www.evil.com>' https://developer-nonprod.example.com
> <https://developer-nonprod.example.com>*
> > GET / HTTP/1.1
> > Host: www.evil.com
> > User-Agent: curl/7.64.1
> > Accept: */*
> >
> < HTTP/1.1 200 OK
> < Server: nginx
> < Content-Type: text/html; charset=UTF-8
> < Transfer-Encoding: chunked
> < Connection: keep-alive
> < X-Powered-By: PHP/7.2.27
> < Cache-Control: must-revalidate, no-cache, private
> < Date: Fri, 28 Feb 2020 06:59:41 GMT
> < X-Drupal-Dynamic-Cache: MISS
> < X-UA-Compatible: IE=edge
> < Content-language: en
> < X-Content-Type-Options: nosniff
> < X-Frame-Options: SAMEORIGIN
> < Expires: Sun, 19 Nov 1978 05:00:00 GMT
> < Vary:
> < X-Generator: Drupal 8 (https://www.drupal.org)
> < X-Drupal-Cache: MISS
> <

<https://paste.centos.org/view/raw/d5e90b98>
Any help will be highly appreciable. Thanks in Advance.

Best Regards,

Kaushal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20200228/d9e0bdec/attachment.htm>


More information about the nginx mailing list