Prevent Arbitary HTTP Host header in nginx

Kaushal Shriyan kaushalshriyan at gmail.com
Fri Feb 28 09:59:15 UTC 2020


On Fri, Feb 28, 2020 at 2:29 PM Reinis Rozitis <r at roze.lv> wrote:

> > So either place it as first or add listen  443 default_server;
>
> By first I mean the "catch all" server { server_name _; .. } block.
>
> rr
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx


Hi Reinis,

I did follow your steps. My nginx.conf file is
https://paste.centos.org/view/ae22889e when I run the curl call, I am still
receiving HTTP 200 OK response instead of HTTP 444 (No Response) as per the
below output

#*curl --verbose --header 'Host: www.example.com
> <http://www.example.com/>' https://developer-nonprod.example.com
> <https://developer-nonprod.example.com/>*
> > GET / HTTP/1.1
> > Host: www.example.com
> > User-Agent: curl/7.64.1
> > Accept: */*
> >
> < HTTP/1.1 200 OK
> < Server: nginx
> < Content-Type: text/html; charset=UTF-8
> < Transfer-Encoding: chunked
> < Connection: keep-alive
> < X-Powered-By: PHP/7.2.27
> < Cache-Control: must-revalidate, no-cache, private
> < Date: Fri, 28 Feb 2020 07:02:00 GMT
> < X-Drupal-Dynamic-Cache: MISS
> < X-UA-Compatible: IE=edge
> < Content-language: en
> < X-Content-Type-Options: nosniff
> < X-Frame-Options: SAMEORIGIN
> < Expires: Sun, 19 Nov 1978 05:00:00 GMT
> < Vary:
> < X-Generator: Drupal 8 (https://www.drupal.org)
> < X-Drupal-Cache: MISS
> <


#*curl --verbose --header 'Host: www.evil.com
> <http://www.evil.com/>' https://developer-nonprod.example.com
> <https://developer-nonprod.example.com/>*
> > GET / HTTP/1.1
> > Host: www.evil.com
> > User-Agent: curl/7.64.1
> > Accept: */*
> >
> < HTTP/1.1 200 OK
> < Server: nginx
> < Content-Type: text/html; charset=UTF-8
> < Transfer-Encoding: chunked
> < Connection: keep-alive
> < X-Powered-By: PHP/7.2.27
> < Cache-Control: must-revalidate, no-cache, private
> < Date: Fri, 28 Feb 2020 06:59:41 GMT
> < X-Drupal-Dynamic-Cache: MISS
> < X-UA-Compatible: IE=edge
> < Content-language: en
> < X-Content-Type-Options: nosniff
> < X-Frame-Options: SAMEORIGIN
> < Expires: Sun, 19 Nov 1978 05:00:00 GMT
> < Vary:
> < X-Generator: Drupal 8 (https://www.drupal.org)
> < X-Drupal-Cache: MISS
> <


Thanks once again for all your help and I look forward to hearing from you.

Best Regards,

Kaushal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20200228/68aba581/attachment.htm>


More information about the nginx mailing list