Prevent Arbitary HTTP Host header in nginx

Reinis Rozitis r at
Fri Feb 28 08:57:23 UTC 2020

> I have added the below server block
> It is still not working. I look forward to hearing from you and your help is highly appreciated.  Thanks in Advance.

If you don't use the default_server for the catch all server{} block then you should place it as first in the configuration as otherways nginx will choose the first one using the order they come in configuration (for each listen port there can be a different default server).

In your case it will be the:

    server {
        listen 443 ssl;
        ssl_protocols TLSv1.2;

So either place it as first or add listen  443 default_server;

p.s you can read in more detail how nginx handles the Hosts and server_names in the documentation and 


More information about the nginx mailing list