Configuration Goal
By default, an Nginx server may respond to requests made directly to the server's IP address or to any domain name that resolves to that IP but is not explicitly bound in the configuration. This can lead to security risks, duplicate content, or traffic hijacking. This guide explains how to configure Nginx to respond only to requests for your bound domain names and reject access via IP address or unbound domains.
Configuration Steps
1. Edit the Nginx Configuration
First, locate and edit your main Nginx configuration file. Common locations include:
/etc/nginx/nginx.conf/usr/local/nginx/conf/nginx.conf
Alternatively, you can create a site-specific configuration file in /etc/nginx/sites-available/ and create a symbolic link in /etc/nginx/sites-enabled/. This example modifies the main or default site configuration.
2. Configure Your Domain Server Block
Ensure you have a standard server block configured for your website. Modify the following parameters as needed:
server {
listen 80;
# Replace `server_name` with your actual domain(s), space-separated
server_name example.com www.example.com blog.example.com;
root /var/www/your_site;
index index.html index.htm index.php;
# Add other configurations (location blocks, SSL, etc.) here
}Key Points:
- The
server_namedirective lists the domains this block should respond to. - For HTTPS, add a
listen 443 ssl;directive and SSL certificate paths.
3. Block IP and Unbound Domain Access
To block access via the server's IP or any domain not listed in a server_name, add a "catch-all" default server block.
Method 1: Return an Error Code (Recommended)
This method directly returns an HTTP error (e.g., 444, 403) for unauthorized requests. It's resource-efficient and secure.
server {
listen 80 default_server;
listen [::]:80 default_server; # IPv6
server_name _; # Wildcard for any unmatched domain
return 444; # Nginx-specific: closes connection
# Alternatives: return 403; or return 500;
}Note: return 444; is an Nginx-specific, efficient method that resets the connection. Using 403 Forbidden or 500 Internal Server Error are standard alternatives.
Method 2: Redirect to a Primary Domain (Use with Caution)
This redirects all unbound requests to your main domain. Not recommended as a primary security measure, as it exposes your domain and can be abused.
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://example.com$request_uri;
}Important: If using HTTPS, ensure this default block also handles port 443 appropriately without interfering with your main HTTPS server block.
4. Test and Reload Nginx
After saving the configuration:
- Test Syntax: Run
sudo nginx -t. Output should confirm "syntax is ok" and "test is successful". - Reload Nginx: Apply changes without downtime using
sudo nginx -s reloadorsudo systemctl reload nginx.
Verification
After reloading, verify the configuration:
- Access your server via its IP address using a browser or
curl. Expect a 403, 500, 444 error, or connection reset. - Access via a domain name not bound to the server (e.g., by modifying your hosts file). Expect the same error.
- Access via your bound domain (e.g., example.com). The website should load normally.
Summary
Adding a default_server block that returns an error code effectively blocks access to your Nginx server via IP address or unknown domains. This is a fundamental security hardening measure for production environments, improving server security and professionalism.