Preventing requests with unknown host names

Sadaf_N · August 20, 2015, 11:47pm

I want to disable processing of all requests that do not have a valid
hostname

I’m tried to follow the advice on:
http://nginx.org/en/docs/http/request_processing.html#how_to_prevent_undefined_server_names

so I have (inside http directive):

server {

    listen      80;
    server_name "";
    return      444;
}

I also tried

server {

    listen      80;
    server_name _;
    return      444;
}

but I am still able to access the website by its IP address?

what am I doing wrong?

–

Igal Sapir
Lucee Core Developer
Lucee.org http://lucee.org/

Igal_S_Lucee.org · August 21, 2015, 12:17am

On Thu, Aug 20, 2015 at 02:46:57PM -0700, Igal @ Lucee.org wrote:

I want to disable processing of all requests that do not have a valid
hostname

Check your entire configuration for “listen” directives.

http://nginx.org/r/listen

There will be zero or more in each server{} block. If there are zero,
that is equivalent to “listen 80” (if you run as root).

For each “listen” directive with a unique ip:port, add one server{}
block which contains “listen ip:port default_server; return 444;”

If your config only has “listen 80”, or no “listen” directives at all,
then

server {
listen 80 default_server;
return 444;
}

should do what you want.

but I am still able to access the website by its IP address?

what am I doing wrong?

Not causing that server to be the default server for the ip:port you
are connecting to.

f

Francis D. [email protected]

Igal_S_Lucee.org · August 21, 2015, 12:56am

Thank you, Francis.

For each “listen” directive with a unique ip:port, add one server{}
block which contains “listen ip:port default_server; return 444;”
This seems to do the trick.

I expected there to be a way to do all of the IP addresses at once.

Thanks for your help!

Igal

Igal_S_Lucee.org · August 21, 2015, 8:37am

So while this worked well for port 80:

On 8/20/2015 3:55 PM, Igal @ Lucee.org wrote:

Thank you, Francis.

For each “listen” directive with a unique ip:port, add one server{}
block which contains “listen ip:port default_server; return 444;”
This seems to do the trick.

when I tried to add listen for port 443 it broke the https for requests
with the valid hostname as well.

disable http server for requests with unknown hosts

server {

listen      IP:80     default_server;

listen IP:443 default_server; # breaks all https??

return      444;

}

what’s the trick to do the same for https without breaking the requests
for https://myhost/ ?

Igal_S_Lucee.org · August 21, 2015, 9:23am

On Thu, Aug 20, 2015 at 03:55:51PM -0700, Igal @ Lucee.org wrote:

Hi there,

For each “listen” directive with a unique ip:port, add one server{}
block which contains “listen ip:port default_server; return 444;”
This seems to do the trick.

I expected there to be a way to do all of the IP addresses at once.

You can add all of the “listen … default_server;” directives into a
single server{}.

But the way nginx chooses which server{} to use to handle a request,
means that there is not a single “listen” directive that will catch
everything that you don’t want to go elsewhere.

f

Francis D. [email protected]

Igal_S_Lucee.org · August 21, 2015, 9:30am

On Thu, Aug 20, 2015 at 11:35:58PM -0700, Igal @ Lucee.org wrote:

On 8/20/2015 3:55 PM, Igal @ Lucee.org wrote:

Hi there,

I do not know the full answer to your question.

what’s the trick to do the same for https without breaking the requests
for https://myhost/ ?

You will need at least a proper ssl configuration in that server{}
block – possibly setting it at http level.

See, for example,
http://nginx.org/en/docs/http/configuring_https_servers.html#name_based_https_servers

In general, the ssl hostname that the browser wants to connect to is
not available until after the ssl negotiation has happened.

f

Francis D. [email protected]

Igal_S_Lucee.org · August 21, 2015, 4:26pm

You will need at least a proper ssl configuration in that server{}
block – possibly setting it at http level.
that makes sense. thanks again!

Igal Sapir
Lucee Core Developer
Lucee.org http://lucee.org/

Igal_S_Lucee.org · August 21, 2015, 1:50pm

On 21.08.2015 10:30, Francis D. wrote:

server {

See, for example,

http://nginx.org/en/docs/http/configuring_https_servers.html#name_based_https_servers

In general, the ssl hostname that the browser wants to connect to is
not available until after the ssl negotiation has happened.

f
Look at this link:
Configuring HTTPS servers

SNI will help you with to have listen separate server_name on one IP and
have default_server.

Igal_S_Lucee.org · August 21, 2015, 8:14pm

On 8/21/2015 4:49 AM, navern wrote:

disable http server for requests with unknown hosts

block – possibly setting it at http level.
Configuring HTTPS servers

SNI will help you with to have listen separate server_name on one IP
and have default_server.
I have SNI enabled (running on Windows and confirmed by calling $ nginx -V

not sure how to “use” that?

thanks