CODEWITHSUNDEEP
nginx
Nothing here
Nothing here

Reputation: 2413

How to block bots in Nginx by stopping Invalid Host Headers

I have tried a ton of different things to stop bots from hitting my backend but cannot seem to block invalid host headers without blocking all traffic. My current configuration looks as such:

# trying to stop invalid host headers which doesn't work
server {
    listen 80 default_server;
    return 444;
}

upstream backend_server {
    server backend:8000;
}

server {
    listen 80;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location ~* ^/(api|admin|static|v2) {
        return 301 https://$host$request_uri;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name example.com *.example.com;
    deny 143.198.76.27; # trying to stop certain IPs here which doesn't work

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location ~ ^/v2(?:/(.*))?$ {
        root /usr/share/nginx/html;
        index index.html;
        try_files $uri $uri/ /v2/index.html =404;
    }

    location /backend_static/ {      
        alias /backend/assets/;
    }

    location /media/ {      
        alias /backend/media/;
    }

    location ~* ^/(api|admin) {
        proxy_pass http://backend_server$request_uri;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $https;
        proxy_connect_timeout 360s;
        proxy_read_timeout 360s;
    }

    location ~* ^/(videos|notes|memos|images|policies|documents|files|uploads|static) {
        proxy_pass http://backend_server$request_uri;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $https;
        proxy_connect_timeout 360s;
        proxy_read_timeout 360s;
        # Set upload size for videos to be 500MB
        client_max_body_size 500M;
    }

    location / {
        proxy_pass http://backend_server$request_uri;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $https;
        proxy_connect_timeout 360s;
        proxy_read_timeout 360s;
    }
}

Upvotes: 1

Views: 1192

Answers (1)

user973254
user973254

Reputation:

Basically to block bots who sends invalid Host header you need something like this:

server {
    listen 80 default_server;
    server_name mydomain.com;
    
    if ( $host !~* ^(mydomain.com|www.mydomain.com)$ ) {
        return 444;
    }

    if ( $http_host !~* ^(mydomain.com|www.mydomain.com)$ ) {
        return 444;
    }

}

But there are plenty of other options (because almost all bots have tendency to adapt), like cookie tests, javascript or even CAPTCHa.

Upvotes: 1

Related Questions