On Fri, Feb 28, 2020 at 1:21 AM Reinis Rozitis <[email protected]> wrote: > > Is there a way to prevent Arbitrary HTTP Host header in Nginx? > Penetration test has reported accepting arbitrary host headers. Thanks in > Advance and I look forward to hearing from you. > > You can always define "catch all" server block with: > > server { > listen 80 default_server; > server_name _; > return 444; > } > > (444 is connection close without response) > > And then just add valid host names to the other server blocks. > > rr > > _______________________________________________ > nginx mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx
Hi Reinis, I have added the below server block in /etc/nginx/nginx.conf ( https://paste.centos.org/view/raw/d5e90b98) server { > listen 80; > server_name _; > return 444; > } When i try to run the below curl call, I am still receiving 200 OK response. #*curl --verbose --header 'Host: www.example.com <http://www.example.com>' > https://developer-nonprod.example.com > <https://developer-nonprod.example.com>* > > GET / HTTP/1.1 > > Host: www.example.com > > User-Agent: curl/7.64.1 > > Accept: */* > > > < HTTP/1.1 200 OK > < Server: nginx > < Content-Type: text/html; charset=UTF-8 > < Transfer-Encoding: chunked > < Connection: keep-alive > < X-Powered-By: PHP/7.2.27 > < Cache-Control: must-revalidate, no-cache, private > < Date: Fri, 28 Feb 2020 07:02:00 GMT > < X-Drupal-Dynamic-Cache: MISS > < X-UA-Compatible: IE=edge > < Content-language: en > < X-Content-Type-Options: nosniff > < X-Frame-Options: SAMEORIGIN > < Expires: Sun, 19 Nov 1978 05:00:00 GMT > < Vary: > < X-Generator: Drupal 8 (https://www.drupal.org) > < X-Drupal-Cache: MISS > < #*curl --verbose --header 'Host: www.evil.com > <http://www.evil.com>' https://developer-nonprod.example.com > <https://developer-nonprod.example.com>* > > GET / HTTP/1.1 > > Host: www.evil.com > > User-Agent: curl/7.64.1 > > Accept: */* > > > < HTTP/1.1 200 OK > < Server: nginx > < Content-Type: text/html; charset=UTF-8 > < Transfer-Encoding: chunked > < Connection: keep-alive > < X-Powered-By: PHP/7.2.27 > < Cache-Control: must-revalidate, no-cache, private > < Date: Fri, 28 Feb 2020 06:59:41 GMT > < X-Drupal-Dynamic-Cache: MISS > < X-UA-Compatible: IE=edge > < Content-language: en > < X-Content-Type-Options: nosniff > < X-Frame-Options: SAMEORIGIN > < Expires: Sun, 19 Nov 1978 05:00:00 GMT > < Vary: > < X-Generator: Drupal 8 (https://www.drupal.org) > < X-Drupal-Cache: MISS > < <https://paste.centos.org/view/raw/d5e90b98> Any help will be highly appreciable. Thanks in Advance. Best Regards, Kaushal
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
