I know that this too late to answer this question , however I put this answer which may be useful for newcommers.
First, We should know why nginx pass the requests to my app while I set a different host name for it.
That is because nginx tries to match the requested host to the nearest defined server block, if there is no match, it will fallback to the default, if there is no default server ( my case ) it will use the first defined VPS ( strange behaviour but thus is the fact )
By knowing this, We solve the half of the problem by adding such block as follow:
server {
listen 80 default_server;
return 444;
}
This block will catch all requests that dosen’t match the defined VPS.
We can improve it more by listening to 443 port also and return 444 response.
Be careful as NGINX includes a default server block in /etc/nginx/sites-available/default. Delete this file (or comment out the default server block) first and, as always, test with sudo nginx -t. If more than one default_server definition exists, nginx will fail to start with a duplicate server error.
The seond half of the puzzle is to add a line similar to this line in each server block:
server {
...
## Deny illegal Host headers
if ($host !~*
^(yourdomain.com|www.yourdomain.com)$ )
{
return 444;
}
}
This will catch the sneaky requests when someone manually make request to your server & set header “host” value to another host.
This is done simply by httpie like:
http yourdomain.com host:another_domain.com
Or by cUrl like:
curl --header "host: another_domain.com" -v yourdomain.com
You can reproduce the error by making requests like this to your server & compare the difference.
N.B: I don’t know what is the vulnerability they are trying to introduce by setting the host header, but the solution is mentioned above.
Finally, I don’t think that silencing the error is a good choice.
Thus answe was collected from several answers in the stackoverflow, django documentation, aws:repost & some blog articles.