I was noticing my nginx log file fill up with requests for a site who
had misconfigured their DNS. Normally I wouldn’t worry about it, but it
became quickly evident that the domain was used for an image server for
a parent site. There were thousands of RPS that I really didn’t need.
All I did was add the following expression to my nginx.conf file.
Server { ...snip... ## Deny illegal Host headers if ($host !~* ^(mydomain.com|www.mydomain.com)$ ) { return 444; } ...snip... }
Now if you look at the code, you may be thinking “But Jared, what is a 444 error? That is totally not valid bro.” And indeed, you are correct. But here is what the nginx documentation has to say about it.
“Furthermore, nonstandard code 444 closes the connection without sending any headers.”
So basically, my expression above, in plain english, is saying.
“If you are not making a request using the valid hostname of my
server, then I’m just going to close the connection and return you
nothing. nada. zip.”
For the record, I got a lot of value out of this article over @ calomel.org, but the site seems to have issues so I
copy/pasted their nginx.conf file here for historical purposes.
## Compression gzip on; gzip_static on; gzip_buffers 16 8k; gzip_comp_level 9; gzip_http_version 1.0; gzip_min_length 0; gzip_types text/plain text/html text/css image/x-icon image/bmp; gzip_vary on; ## Log Format log_format main '$remote_addr $host $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $ssl_cipher $request_time'; ## Deny access to any host other than (www.)mydomain.com server { server_name _; #default return 444; } ## Server (www.)mydomain.com server { add_header Cache-Control public; access_log /var/log/nginx/access.log main buffer=32k; error_log /var/log/nginx/error.log info; expires 31d; limit_conn gulag 5; listen 127.0.0.1:8080 rcvbuf=64k backlog=128; root /htdocs; server_name mydomain.com www.mydomain; ## Only allow GET and HEAD request methods if ($request_method !~ ^(GET|HEAD)$ ) { return 444; } ## Deny illegal Host headers if ($host !~* ^(mydomain.com|www.mydomain.com)$ ) { return 444; } ## Deny certain User-Agents (case insensitive) ## The ~* makes it case insensitive as opposed to just a ~ if ($http_user_agent ~* (Baiduspider|Jullo) ) { return 444; } ## Deny certain Referers (case insensitive) ## The ~* makes it case insensitive as opposed to just a ~ if ($http_referer ~* (babes|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|sex|teen|video|webcam|zippo) ) { return 444; } ## Redirect from www to non-www if ($host = 'www.mydomain.com' ) { rewrite ^/(.*)$ http://mydomain.com/$1 permanent; } ## Stop Image and Document Hijacking location ~* (\.jpg|\.png|\.css)$ { if ($http_referer !~ ^(http://mydomain.com) ) { return 444; } } ## Restricted Access directory location ^~ /secure/ { allow 127.0.0.1/32; allow 10.10.10.0/24; deny all; auth_basic "RESTRICTED ACCESS"; auth_basic_user_file /var/www/htdocs/secure/access_list; } ## Only allow these full URI paths relative to document root. If you only want ## to reference the filename use $request_filename instead of $request_uri location / { if ($request_uri ~* (^\/|\.html|\.jpg|\.org|\.png|\.css|favicon\.ico|robots\.txt)$ ) { break; } return 444; } ## Serve an empty 1x1 gif _OR_ an error 204 (No Content) for favicon.ico location = /favicon.ico { #empty_gif; return 204; } ## System Maintenance (Service Unavailable) if (-f $document_root/system_maintenance.html ) { error_page 503 /system_maintenance.html; return 503; } ## All other errors get the generic error page error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 495 496 497 500 501 502 503 504 505 506 507 /error_page.html; location /error_page.html { internal; } } }