I have tried a ton of different things to stop bots from hitting my backend but cannot seem to block invalid host headers without blocking all traffic. My current configuration looks as such:
# trying to stop invalid host headers which doesn't work
server {
listen 80 default_server;
return 444;
}
upstream backend_server {
server backend:8000;
}
server {
listen 80;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location ~* ^/(api|admin|static|v2) {
return 301 https://$host$request_uri;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name example.com *.example.com;
deny 143.198.76.27; # trying to stop certain IPs here which doesn't work
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location ~ ^/v2(?:/(.*))?$ {
root /usr/share/nginx/html;
index index.html;
try_files $uri $uri/ /v2/index.html =404;
}
location /backend_static/ {
alias /backend/assets/;
}
location /media/ {
alias /backend/media/;
}
location ~* ^/(api|admin) {
proxy_pass http://backend_server$request_uri;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $https;
proxy_connect_timeout 360s;
proxy_read_timeout 360s;
}
location ~* ^/(videos|notes|memos|images|policies|documents|files|uploads|static) {
proxy_pass http://backend_server$request_uri;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $https;
proxy_connect_timeout 360s;
proxy_read_timeout 360s;
# Set upload size for videos to be 500MB
client_max_body_size 500M;
}
location / {
proxy_pass http://backend_server$request_uri;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $https;
proxy_connect_timeout 360s;
proxy_read_timeout 360s;
}
}
Basically to block bots who sends invalid Host header you need something like this:
server {
listen 80 default_server;
server_name mydomain.com;
if ( $host !~* ^(mydomain.com|www.mydomain.com)$ ) {
return 444;
}
if ( $http_host !~* ^(mydomain.com|www.mydomain.com)$ ) {
return 444;
}
}
But there are plenty of other options (because almost all bots have tendency to adapt), like cookie tests, javascript or even CAPTCHa.
Related
i have a small issue, i configured various server block with listen directive like below
but i can access toto1.com on port 444 and toto2.com on port 443, but I would prefer if it's was not possible, the listen directive is not only for the server block?
server {
listen 443 ssl http2;
server_name toto1.com;
include /etc/nginx/snippets/ssl.conf;
location /
{
proxy_read_timeout 900;
proxy_pass_header Server;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass https://x.x.x.x;
}
}
server {
listen 444 ssl http2;
server_name toto2.com;
include /etc/nginx/snippets/ssl.conf;
location /
{
proxy_read_timeout 900;
proxy_pass_header Server;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass https://x.x.x.x;
}
}
thanks
i found my answer here
https://www.computerworld.com/article/2987967/why-your-nginx-server-is-responding-with-content-from-the-wrong-site.html
you need to create a conf server like that and place it at the begining
server {
include /etc/nginx/snippets/ssl.conf;
server_name titi.com;
listen 444;
listen 443;
return 404 ;
access_log /var/log/nginx/default.access.log main;
error_log /var/log/nginx/default.error.log;
}
I have been trying to solve this issue for quite awhile now. Bots are hitting my sites hard with INVALID HOST HEADERS and Nginx forwards these requests to Gunicorn/Django. I need to stop them at Nginx. I have tried every solution I can find on SO, and elsewhere, but none seem to work for my setup.
Nginx.conf:
upstream backend_server {
server backend:8000;
}
upstream backend_asgi {
server backend_asgi:8001;
}
server {
listen 80;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location ~* ^/(api|admin|static|v2) {
return 301 https://$host$request_uri;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name example.site *.example.site;
ssl_certificate /etc/letsencrypt/live/example.site/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.site/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location /ws/ {
proxy_pass http://backend_asgi;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
location ~ ^/v2(?:/(.*))?$ {
root /usr/share/nginx/html;
index index.html;
try_files $uri $uri/ /v2/index.html =404;
}
location /backend_static/ {
alias /backend/assets/;
}
location /media/ {
alias /backend/media/;
}
location ~* ^/(api|admin) {
proxy_pass http://backend_server$request_uri;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $https;
proxy_connect_timeout 360s;
proxy_read_timeout 360s;
}
location / {
proxy_pass http://backend_server$request_uri;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $https;
proxy_connect_timeout 360s;
proxy_read_timeout 360s;
# Set upload size for videos to be 500MB
client_max_body_size 500M;
}
}
What can i add to my Nginx configuration to stop invalid host headers, given that I have a wildcard subdomain and bots are also using HOST HEADERS w/ subdomains?
I have a requirement where {any-dynamic-subdomain}.domain.com should rewrite to domain.com/{any-dynamic-subdomain} but not for www.domain.com
Example:
api.domain.com -> domain.com/api
api-1.domain.com -> domain.com/api-1
so on..
Note: Here subdomains are dynamic in nature.
Nginx version: openresty/1.11.2.2
Current nginx configs:
server {
listen 80;
server_name domain.com;
return 301 https://www.domain.in$request_uri;
}
server {
listen 80;
server_name www.domain.com;
set $upstream_endpoint backend-api.tools.com;
location / {
proxy_set_header HOST $upstream_endpoint;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 300;
proxy_pass http://$upstream_endpoint;
}
------------------------
}
Kindly advise Nginx configurations for the same. Thanks
You will have to use a named capture in the server_name directive:
server {
listen 80;
server_name www.domain.com;
root /var/www/htmldoc;
index index.htm index.html;
location / {
try_files $uri $uri/ =404;
}
}
server {
listen 80;
server_name ~^(?<name>[^\.]+)\.domain\.com$;
set $upstream_endpoint backend-api.tools.com;
location / {
proxy_set_header HOST $upstream_endpoint;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 300;
proxy_pass http://$upstream_endpoint/$name;
}
------------------------
}
I'm trying to figure out how to configure my website to pass thru varnish. I'm using Ubuntu 18.04. I've tried some methods I already found online, but I can only make it work for HTTP, not for HTTPS. Here is my actual nginx.conf. My website is built in React and as you can see I already have a proxy_pass in my Nginx.
listen 80;
listen [::]:80;
return 301 https://$host$request_uri;
}
server {
# SSL configuration
listen 443 ssl http2;
listen [::]:443 ssl http2;
include snippets/ssl-params.conf;
client_max_body_size 15M;
ssl_certificate_key /srv/www/dev.site.com/ssl/dev.key;
ssl_certificate /srv/www/dev.site.com/ssl/dev.chain.crt;
access_log /srv/www/dev.site.com/logs/temp_access.log;
error_log /srv/www/dev.site.com/logs/temp_error.log;
error_page 502 /502.html;
location = /502.html {
root /usr/share/nginx/html/;
allow all;
internal;
}
# root /srv/www/dev.site.com/html;
# index index.php index.html;
server_name www.dev.site.com dev.site.com;
location / {
proxy_pass http://127.0.0.1:3000/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify SUCCESS;
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_read_timeout 1800;
proxy_connect_timeout 1800;
if ($request_uri ~* ".(ico|css|js|gif|jpe?g|png|json)$") {
expires 30d;
access_log off;
add_header Pragma public;
add_header Cache-Control "public";
break;
}
}
Thanks
HTTP/1.1
For regular HTTP/1.1 requests, this one should do the trick:
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
location / {
proxy_pass http://127.0.0.1:80;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $host;
}
}
Please make sure you include the right certificates, and proxy through to the right hostname/port.
HTTP/2
For HTTP/2 requests, you can use the following Nginx config:
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
location / {
proxy_pass http://127.0.0.1:80;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $host;
}
}
And for Varnish, you need to make sure the -p feature=+http2 runtime flag is added to the varnishd process. So the varnishd process could look like this:
varnishd -a:80 -f /etc/varnish/default.vcl -s malloc,2g -p feature=+http2
In the beginning of my Nginx .conf file I have added the following redirect:
server {
listen 80;
listen [::]:80;
server_name *.a-domain.nl;
return 301 https://$host$request_uri;
}
server {
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
listen 443;
listen [::]:443 ipv6only=on;
server_name *.a-domain.nl;
ssl on;
ssl_certificate /etc/ssl/b-domain.crt;
ssl_certificate_key /etc/ssl/b-domain.key;
location ~* \.(ogg|ogv|svgz|mp4|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|html|txt|htm)$ {
root /var/www/html/mtcore/web;
try_files $uri $uri/ $uri.html =404;
}
location / {
proxy_pass http://127.0.0.1;
proxy_http_version 1.1;
proxy_set_header X-Real-Ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
}
}
server {
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
listen 80;
listen [::]:80 ipv6only=on;
server_name _;
location ~* \.(ogg|ogv|svgz|mp4|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|html|txt|htm)$ {
root /var/www/html/mtcore/web;
try_files $uri $uri/ $uri.html =404;
}
location / {
proxy_pass http://127.0.0.1;
proxy_http_version 1.1;
proxy_set_header X-Real-Ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
}
}
Only when I open in an browser the following domain www.b-domain.nl that is served on the same server, the Nginx also redirects it to https. I would expect that Nginx only redirects www.a-domain.nl?
The first server block is the implicit default server for port 80, so it gets to process all http requests irrespective of server name. The third server block would only match the server name _, which is either illegal or unlikely.
To make another server block the default, use default_server option on the listen directive.
See this document for more.