Deny Hosts Using Nginx
I was noticing my nginx log file fill up with requests for a site who had misconfigured their DNS. Normally I wouldn’t worry about it, but it became quickly evident that the domain was used for an image server for a parent site. There were thousands of RPS that I really didn’t need.
All I did was add the following expression to my nginx.conf file.
1Server {
2 ...snip...
3 ## Deny illegal Host headers
4 if ($host !~* ^(mydomain.com|www.mydomain.com)$ ) {
5 return 444;
6 }
7 ...snip...
8}
Now if you look at the code, you may be thinking “But Jared, what is a 444 error? That is totally not valid bro.” And indeed, you are correct. But here is what the nginx documentation has to say about it.
_“Furthermore, nonstandard code 444 closes the connection without sending any headers.”
So basically, my expression above, in plain english, is saying.
_“If you are not making a request using the valid hostname of my server, then I’m just going to close the connection and return you nothing. nada. zip.”
For the record, I got a lot of value out of this article over @ calomel.org, but the site seems to have issues so I copy/pasted their nginx.conf file here for historical purposes.
1## Compression
2 gzip on;
3 gzip_static on;
4 gzip_buffers 16 8k;
5 gzip_comp_level 9;
6 gzip_http_version 1.0;
7 gzip_min_length 0;
8 gzip_types text/plain text/html text/css image/x-icon image/bmp;
9 gzip_vary on;
10 ## Log Format
11 log_format main '$remote_addr $host $remote_user [$time_local] "$request"
12 $status $body_bytes_sent "$http_referer" "$http_user_agent" $ssl_cipher $request_time';
13 ## Deny access to any host other than (www.)mydomain.com
14 server {
15 server_name _; #default
16 return 444;
17 }
18 ## Server (www.)mydomain.com
19 server {
20 add_header Cache-Control public;
21 access_log /var/log/nginx/access.log main buffer=32k;
22 error_log /var/log/nginx/error.log info;
23 expires 31d;
24 limit_conn gulag 5;
25 listen 127.0.0.1:8080 rcvbuf=64k backlog=128;
26 root /htdocs;
27 server_name mydomain.com www.mydomain;
28 ## Only allow GET and HEAD request methods
29 if ($request_method !~ ^(GET|HEAD)$ ) {
30 return 444;
31 }
32 ## Deny illegal Host headers
33 if ($host !~* ^(mydomain.com|www.mydomain.com)$ ) {
34 return 444;
35 }
36 ## Deny certain User-Agents (case insensitive)
37 ## The ~* makes it case insensitive as opposed to just a ~
38 if ($http_user_agent ~* (Baiduspider|Jullo) ) {
39 return 444;
40 }
41 ## Deny certain Referers (case insensitive)
42 ## The ~* makes it case insensitive as opposed to just a ~
43 if ($http_referer ~* (babes|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|sex|teen|video|webcam|zippo) ) {
44 return 444;
45 }
46 ## Redirect from www to non-www
47 if ($host = 'www.mydomain.com' ) {
48 rewrite ^/(.*)$ http://mydomain.com/$1 permanent;
49 }
50 ## Stop Image and Document Hijacking
51 location ~* (\.jpg|\.png|\.css)$ {
52 if ($http_referer !~ ^(http://mydomain.com) ) {
53 return 444;
54 }
55 }
56 ## Restricted Access directory
57 location ^~ /secure/ {
58 allow 127.0.0.1/32;
59 allow 10.10.10.0/24;
60 deny all;
61 auth_basic "RESTRICTED ACCESS";
62 auth_basic_user_file /var/www/htdocs/secure/access_list;
63 }
64 ## Only allow these full URI paths relative to document root. If you only want
65 ## to reference the filename use $request_filename instead of $request_uri
66 location / {
67 if ($request_uri ~* (^\/|\.html|\.jpg|\.org|\.png|\.css|favicon\.ico|robots\.txt)$ ) {
68 break;
69 }
70 return 444;
71 }
72 ## Serve an empty 1x1 gif _OR_ an error 204 (No Content) for favicon.ico
73 location = /favicon.ico {
74 #empty_gif;
75 return 204;
76 }
77 ## System Maintenance (Service Unavailable)
78 if (-f $document_root/system_maintenance.html ) {
79 error_page 503 /system_maintenance.html;
80 return 503;
81 }
82 ## All other errors get the generic error page
83 error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 495 496 497
84 500 501 502 503 504 505 506 507 /error_page.html;
85 location /error_page.html {
86 internal;
87 }
88 }
89}
捐赠本站(Donate)
如您感觉文章有用,可扫码捐赠本站!(If the article useful, you can scan the QR code to donate))
- Author: shisekong
- Link: https://blog.361way.com/nginx-deny-hosts/4500.html
- License: This work is under a 知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议. Kindly fulfill the requirements of the aforementioned License when adapting or creating a derivative of this work.