Nginx – How to Block Requests with Wrong Host Header

nginx

I use nginx to serve my website. I’d like to block all requests that come in with an HTTP “Host” header that doesn’t match my site’s domain.

To be more concrete, my nginx.conf contains these two server blocks:

server {
    # Redirect from the old domain to the new domain; also redirect
    # from www.newdomain.com to newdomain.com without the "www"
    server_name www.olddomain.com olddomain.com www.newdomain.com;
    listen 80;
    return 301 $scheme://newdomain.com$request_uri;
}

server {
    server_name newdomain.com localhost;
    listen 80;

    # Actual configuration goes here...
}

I’d like to block (i.e. “return” a 444 status code) any traffic whose Host isn’t www.olddomain.com, olddomain.com, www.newdomain.com, or newdomain.com. How can I do this?

Best Answer

Define a default server

if you don't explicitly define a default server, nginx will implicitly use the first-found server. so, just create a server block to block unknown hosts:

server {
  listen 80 default_server;
  return 444;
}

(no it's not necessary to add a server_name - since it will never be a match).

Correct way in new versions of nginx

Turn out my first answer to this question was correct at certain time, but it turned into another pitfall - to stay up to date please check Taxing rewrite pitfalls

I have been corrected by many SE users, so the credit goes to them, but more importantly, here is the correct code:

server {
       listen         80;
       server_name    my.domain.com;
       return         301 https://$server_name$request_uri;
}

server {
       listen         443 ssl;
       server_name    my.domain.com;
       # add Strict-Transport-Security to prevent man in the middle attacks
       add_header Strict-Transport-Security "max-age=31536000" always; 

       [....]
}

Nginx – Why WordPress Loads Blank Pages on Nginx and PHP-FPM

By default the Nginx source does not define SCRIPT_FILENAME in the fastcgi_params file, so unless the repo you installed Nginx from does that you need to do it yourself.

Check if the following line is in your fastcgi_params file:

fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;

and if not then add it.

Best Answer

Define a default server

Related Solutions

NGINX Redirect – How to Rewrite All HTTP Requests to HTTPS While Maintaining Sub-Domain

Correct way in new versions of nginx

Nginx – Why WordPress Loads Blank Pages on Nginx and PHP-FPM

Related Topic