I was noticing my nginx log file fill up with requests for a site who
had misconfigured their DNS. Normally I wouldn’t worry about it, but it
became quickly evident that the domain was used for an image server for
a parent site. There were thousands of RPS that I really didn’t need.
All I did was add the following expression to my nginx.conf file.
Server {
...snip...
## Deny illegal Host headers
if ($host !~* ^(mydomain.com|www.mydomain.com)$ ) {
return 444;
}
...snip...
}Now if you look at the code, you may be thinking “But Jared, what is a 444 error? That is totally not valid bro.” And indeed, you are correct. But here is what the nginx documentation has to say about it.
“Furthermore, nonstandard code 444 closes the connection without sending any headers.”
So basically, my expression above, in plain english, is saying.
“If you are not making a request using the valid hostname of my
server, then I’m just going to close the connection and return you
nothing. nada. zip.”
For the record, I got a lot of value out of this article over @ calomel.org, but the site seems to have issues so I
copy/pasted their nginx.conf file here for historical purposes.
## Compression
gzip on;
gzip_static on;
gzip_buffers 16 8k;
gzip_comp_level 9;
gzip_http_version 1.0;
gzip_min_length 0;
gzip_types text/plain text/html text/css image/x-icon image/bmp;
gzip_vary on;
## Log Format
log_format main '$remote_addr $host $remote_user [$time_local] "$request"
$status $body_bytes_sent "$http_referer" "$http_user_agent" $ssl_cipher $request_time';
## Deny access to any host other than (www.)mydomain.com
server {
server_name _; #default
return 444;
}
## Server (www.)mydomain.com
server {
add_header Cache-Control public;
access_log /var/log/nginx/access.log main buffer=32k;
error_log /var/log/nginx/error.log info;
expires 31d;
limit_conn gulag 5;
listen 127.0.0.1:8080 rcvbuf=64k backlog=128;
root /htdocs;
server_name mydomain.com www.mydomain;
## Only allow GET and HEAD request methods
if ($request_method !~ ^(GET|HEAD)$ ) {
return 444;
}
## Deny illegal Host headers
if ($host !~* ^(mydomain.com|www.mydomain.com)$ ) {
return 444;
}
## Deny certain User-Agents (case insensitive)
## The ~* makes it case insensitive as opposed to just a ~
if ($http_user_agent ~* (Baiduspider|Jullo) ) {
return 444;
}
## Deny certain Referers (case insensitive)
## The ~* makes it case insensitive as opposed to just a ~
if ($http_referer ~* (babes|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|sex|teen|video|webcam|zippo) ) {
return 444;
}
## Redirect from www to non-www
if ($host = 'www.mydomain.com' ) {
rewrite ^/(.*)$ http://mydomain.com/$1 permanent;
}
## Stop Image and Document Hijacking
location ~* (\.jpg|\.png|\.css)$ {
if ($http_referer !~ ^(http://mydomain.com) ) {
return 444;
}
}
## Restricted Access directory
location ^~ /secure/ {
allow 127.0.0.1/32;
allow 10.10.10.0/24;
deny all;
auth_basic "RESTRICTED ACCESS";
auth_basic_user_file /var/www/htdocs/secure/access_list;
}
## Only allow these full URI paths relative to document root. If you only want
## to reference the filename use $request_filename instead of $request_uri
location / {
if ($request_uri ~* (^\/|\.html|\.jpg|\.org|\.png|\.css|favicon\.ico|robots\.txt)$ ) {
break;
}
return 444;
}
## Serve an empty 1x1 gif _OR_ an error 204 (No Content) for favicon.ico
location = /favicon.ico {
#empty_gif;
return 204;
}
## System Maintenance (Service Unavailable)
if (-f $document_root/system_maintenance.html ) {
error_page 503 /system_maintenance.html;
return 503;
}
## All other errors get the generic error page
error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 495 496 497
500 501 502 503 504 505 506 507 /error_page.html;
location /error_page.html {
internal;
}
}
}