On Fri, Feb 28, 2020 at 1:21 AM Reinis Rozitis <r@roze.lv> wrote:

> > Is there a way to prevent Arbitrary HTTP Host header in Nginx?
> Penetration test has reported accepting arbitrary host headers. Thanks in
> Advance and I look forward to hearing from you.
>
> You can always define "catch all" server block with:
>
> server {
> listen 80 default_server;
> server_name _;
> return 444;
> }
>
> (444 is connection close without response)
>
> And then just add valid host names to the other server blocks.
>
> rr
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx


Hi Reinis,

I have added the below server block in /etc/nginx/nginx.conf (
https://paste.centos.org/view/raw/d5e90b98)

server {
> listen 80;
> server_name _;
> return 444;
> }


When i try to run the below curl call, I am still receiving 200 OK
response.

#*curl --verbose --header 'Host: www.example.com http://www.example.com'
> https://developer-nonprod.example.com
> https://developer-nonprod.example.com*
> > GET / HTTP/1.1
> > Host: www.example.com
> > User-Agent: curl/7.64.1
> > Accept: */*
> >
> < HTTP/1.1 200 OK
> < Server: nginx
> < Content-Type: text/html; charset=UTF-8
> < Transfer-Encoding: chunked
> < Connection: keep-alive
> < X-Powered-By: PHP/7.2.27
> < Cache-Control: must-revalidate, no-cache, private
> < Date: Fri, 28 Feb 2020 07:02:00 GMT
> < X-Drupal-Dynamic-Cache: MISS
> < X-UA-Compatible: IE=edge
> < Content-language: en
> < X-Content-Type-Options: nosniff
> < X-Frame-Options: SAMEORIGIN
> < Expires: Sun, 19 Nov 1978 05:00:00 GMT
> < Vary:
> < X-Generator: Drupal 8 (https://www.drupal.org)
> < X-Drupal-Cache: MISS
> <


#*curl --verbose --header 'Host: www.evil.com
> http://www.evil.com' https://developer-nonprod.example.com
> https://developer-nonprod.example.com*
> > GET / HTTP/1.1
> > Host: www.evil.com
> > User-Agent: curl/7.64.1
> > Accept: */*
> >
> < HTTP/1.1 200 OK
> < Server: nginx
> < Content-Type: text/html; charset=UTF-8
> < Transfer-Encoding: chunked
> < Connection: keep-alive
> < X-Powered-By: PHP/7.2.27
> < Cache-Control: must-revalidate, no-cache, private
> < Date: Fri, 28 Feb 2020 06:59:41 GMT
> < X-Drupal-Dynamic-Cache: MISS
> < X-UA-Compatible: IE=edge
> < Content-language: en
> < X-Content-Type-Options: nosniff
> < X-Frame-Options: SAMEORIGIN
> < Expires: Sun, 19 Nov 1978 05:00:00 GMT
> < Vary:
> < X-Generator: Drupal 8 (https://www.drupal.org)
> < X-Drupal-Cache: MISS
> <

https://paste.centos.org/view/raw/d5e90b98
Any help will be highly appreciable. Thanks in Advance.

Best Regards,

Kaushal
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx