Block direct IP access using nginx

Question

I have following nginx configurations

if ($host != mydomain.com) {
 return 403;
}

When I hit the url http://127.0.0.1/test/test2/index.php (from POSTMAN) I get 403. Fine. But adding a Host -> mydomain.com in Headers I get 200.

When I added add_header Host "$host"; in nginx configurations I noticed in response that nginx has mydomain.com in its host variable. I know intentionally mentioning Host header in http request overrides 127.0.0.1 according to nginx documentation.

But in this way an attacker can send requests direct to web server by bypassing Cloudflare WAF. so what's the solution to block such requests from nginx?

I have tried following solutions but didn't work for me.
https://www.digitalocean.com/community/questions/how-to-block-access-using-the-server-ip-in-nginx https://blog.knoldus.com/nginx-disable-direct-access-via-http-and-https-to-a-website-using-ip/

Answer 1

When I hit the url http://127.0.0.1/test/test2/index.php (from POSTMAN) I get 403. Fine. But adding a Host -> mydomain.com in Headers I get 200.

If I understand correctly, you seem to think that "adding a Host" header in your request is somehow a bypass. And it's not ... it's how hostnames work in HTTP.

A server doesn't magically know that you typed http://domain.tld/test/ in your browser address bar. Your browser makes a DNS lookup for domain.tld and establishes a TCP connection with the resolved IP address; it then sends headers, which is where the server gets the information from:

GET /test/ HTTP/1.1
Host: domain.tld

That's the only way the server knows you requested http://domain.tld/test/.

Answer 2

add this block:

server {
    listen      80 default_server;
    server_name "";
    return      444;
}

OR

server {
      listen 80 default_server;
      listen [::]:80 default_server;
      server_name _;    
      return 444;
    }

The “default_server” parameter cannot be present in any other server block. NGINX Block direct IP access.