I have a single instance of nginx serving several virtual hosts with their respective domains on the same ip address. When someone tries to access my ip, they are served one of them, but since my server redirects all requests to https, those client fail. What virtual host should I serve instead? Should I use rewrite to force a specific domain?
1 Answer
Considering RFC-7230, you might just return 400 for such request:
A server MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request message that lacks a Host header field and to any request message that contains more than one Host header field or a Host header field with an invalid field-value.
Unless you have a good reason to redirect them to a specific domain.
-
Nginx is a special case since it supports a 444 (no response) code and drops the connection. This is probably what you want since it provides better security against Host header attacks. Related answer here.Tom Brossman– Tom Brossman2016-12-17 08:19:17 +00:00Commented Dec 17, 2016 at 8:19
Host:header is likely to be a (waste of time) bot anyway. I would probably configure a default virtual host that these requests get routed to.Hostheader) request in any meaningful way, unless you had a specific requirement to do so. Most shared servers I've seen just return an error-like page (default virtual host) but with a 200 OK status (not saying that is strictly correct). Some shared hosts just return the first (customers) virtual host - which is quite bad really.