Prevent Arbitary HTTP Host header in nginx

Kaushal Shriyan kaushalshriyan at gmail.com
Fri Feb 28 08:23:08 UTC 2020 

On Fri, Feb 28, 2020 at 1:23 PM Reinis Rozitis <r at roze.lv> wrote:

> > I have added the below server block in /etc/nginx/nginx.conf (
> https://paste.centos.org/view/raw/d5e90b98)
> >
> > server {
> >   listen       80;
> >    server_name  _;
> >    return       444;
> > }
> >
> > When i try to run the below curl call, I am still receiving 200 OK
> response.
>
> > #curl --verbose --header 'Host: www.example.com'
> https://developer-nonprod.example.com
> > GET / HTTP/1.1
> > Host: www.example.com
> > User-Agent: curl/7.64.1
> > Accept: */*
>
> If you are testing 'https'  then you have to add the  'listen 443;' to the
> catch all server{} block otherways it will only work for http requests.
>
>
> Also your pasted configuration has:
>
> server {
>     listen 80 default_server;
>
>     server_name developer-nonprod.example.com;
>     server_name_in_redirect off;
>     return 301 https://$host$request_uri;
> }
>
>
> server {
>     listen       80;
>     server_name  _;
>     return       444;
> }
> }
>
> In this case with non-defined Hosts (server_name's) the first server {}
> will be used since it has the default_server (and second is ignored)  and
> you'll always get the redirect.
>
> You could leave the existing http -> https redirect but then change the
> catch all to listen only on 443 .. so if there is no valid server_name
> definition the connection will be dropped.
>
> rr
>

Hi  Reinis,

I have added the below server block https://paste.centos.org/view/0c6f3195

server {
    listen 80 default_server;

    server_name developer-nonprod.example.com;
    server_name_in_redirect off;
    return 301 https://$host$request_uri;
}
#  index index.html;

server {
    listen   443;
    server_name  _;
  #  server_name_in_redirect off;
    return       444;
}

}

It is still not working. I look forward to hearing from you and your help
is highly appreciated.  Thanks in Advance.

Best Regards,

Kaushal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20200228/fa52c622/attachment.htm>

More information about the nginx mailing list