Prevent Arbitary HTTP Host header in nginx

Reinis Rozitis r at roze.lv
Fri Feb 28 07:53:34 UTC 2020


> I have added the below server block in /etc/nginx/nginx.conf (https://paste.centos.org/view/raw/d5e90b98)
> 
> server {
>   listen       80;
>    server_name  _;
>    return       444;
> }
> 
> When i try to run the below curl call, I am still receiving 200 OK response. 

> #curl --verbose --header 'Host: www.example.com' https://developer-nonprod.example.com
> GET / HTTP/1.1
> Host: www.example.com
> User-Agent: curl/7.64.1
> Accept: */*

If you are testing 'https'  then you have to add the  'listen 443;' to the catch all server{} block otherways it will only work for http requests.


Also your pasted configuration has:

server {
    listen 80 default_server;

    server_name developer-nonprod.example.com;
    server_name_in_redirect off;
    return 301 https://$host$request_uri;
}


server {
    listen       80;
    server_name  _;
    return       444;
}
}

In this case with non-defined Hosts (server_name's) the first server {} will be used since it has the default_server (and second is ignored)  and you'll always get the redirect. 

You could leave the existing http -> https redirect but then change the catch all to listen only on 443 .. so if there is no valid server_name definition the connection will be dropped.

rr



More information about the nginx mailing list