NGINX filter requests to lan IP

Question

I have received several requests via NGINX that appear to be to my LAN IP 192.168.0.1 as follows:

nginx.vhost.access.log:

192.227.134.73 - - [29/Jul/2021:10:33:47 +0000] "POST /GponForm/diag_Form?style/       HTTP/1.1" 400 154 "-" "curl/7.3.2"

and from Django:

Invalid HTTP_HOST header: '192.168.0.1:443'. You may need to add '192.168.0.1' to ALLOWED_HOSTS.

My NGINX configurations as follows:

upstream django_server {
    server 127.0.0.1:8000;
}

# Catch all requests with an invalid HOST header
server {
    server_name "";
    listen 80;
        return 301 https://backoffice.example.com$request_uri;
    }

server {
    listen 80;
    # Redirect www to https
    server_name www.backoffice.example.com;
    modsecurity on;
    modsecurity_rules_file /some_directory/nginx/modsec/modsec_includes.conf;
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;" always;
    add_header X-Frame-Options "deny" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Content-Type-Options "nosniff" always;
    #add_header Content-Security-Policy "script-src 'self' https://example.com https://backoffice.example.com https://fonts.gstatic.com https://code.jquery.com";
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;

    return 301 https://backoffice.example.com$request_uri;
}

server {
      listen 443 ssl http2;
      server_name www.backoffice.example.com backoffice.example.com;
      modsecurity on;
      modsecurity_rules_file /some_directory/nginx/modsec/modsec_includes.conf;
      add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;" always;
      add_header X-Frame-Options "deny" always;
      add_header X-XSS-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Content-Security-Policy "script-src 'self' https://example.com https://backoffice.example.com https://fonts.gstatic.com https://code.jquery.com";
      add_header Referrer-Policy "strict-origin-when-cross-origin"; 

      ssl_certificate    /etc/ssl/nginx-ssl/backofficebundle.crt;
      ssl_certificate_key    /etc/ssl/nginx-ssl/backoffice.key;
      
      access_log /some_directory/nginx/nginx.vhost.access.log;
      error_log /some_directory/nginx/nginx.vhost.error.log;

    location / {
        proxy_pass http://localhost:8000;
        proxy_pass_header Server;
            proxy_redirect off;
            proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Scheme $scheme;
            proxy_set_header REMOTE_ADDR $remote_addr;        
}


      location /media/ {
        alias /some_directory/backoffice/media/;
        }

        location /static/ {
        alias /some_directory/backoffice/static/;
    }

}

My questions:

1. Is there any way of configuring NGINX to block requests to all LAN IP's?
2. Can this be done better by ModSecurity?

Answer 1

Is there any way of configuring NGINX to block requests to all LAN IP's?

There is, just make nginx listen only on the public IP (e.g. listen backoffice.example.com:443 ssl http2;). Although I have no idea why you'd want this…

Because if it's an internal IP it cannot be accessed externally (by definition – otherwise you wouldn't call it internal). If that would be the case you'd have more like a problem with your network/firewall.

Regarding the nginx access log, I cannot spot any problem. 192.227.134.73 is not a private IP.

Regarding the Django log, curl -H "Host: 192.168.0.1:443" https://backoffice.example.com would have caused such a request. The "Host" header is just a header after all that can contain anything.