Prevent Arbitary HTTP Host header in nginx
Reinis Rozitis
r at roze.lv
Fri Feb 28 07:53:34 UTC 2020
> I have added the below server block in /etc/nginx/nginx.conf (https://paste.centos.org/view/raw/d5e90b98)
>
> server {
> listen 80;
> server_name _;
> return 444;
> }
>
> When i try to run the below curl call, I am still receiving 200 OK response.
> #curl --verbose --header 'Host: www.example.com' https://developer-nonprod.example.com
> GET / HTTP/1.1
> Host: www.example.com
> User-Agent: curl/7.64.1
> Accept: */*
If you are testing 'https' then you have to add the 'listen 443;' to the catch all server{} block otherways it will only work for http requests.
Also your pasted configuration has:
server {
listen 80 default_server;
server_name developer-nonprod.example.com;
server_name_in_redirect off;
return 301 https://$host$request_uri;
}
server {
listen 80;
server_name _;
return 444;
}
}
In this case with non-defined Hosts (server_name's) the first server {} will be used since it has the default_server (and second is ignored) and you'll always get the redirect.
You could leave the existing http -> https redirect but then change the catch all to listen only on 443 .. so if there is no valid server_name definition the connection will be dropped.
rr
More information about the nginx
mailing list