this post was submitted on 17 Sep 2024
1 points (100.0% liked)

nginx

4 readers
1 users here now

The nginx community on Reddit. Reddit gives you the best of the internet in one place.

founded 1 year ago
MODERATORS
[email protected]
1
How can I prevent HTTP access via IP address instead of a domain name? (zerobytes.monster)
submitted 2 months ago by [email protected] to c/[email protected]
0 comments fedilink hide all child comments
 
The original post: /r/nginx by /u/TheRealThrowAwayX on 2024-09-17 15:14:30.

I thought I was successful in setting up nginx.conf such that only https requests are allowed, and when I navigate to my site using the domain name http://mydomain.com it indeed forces it to connect as https. However, when viewing logs today, I saw that someone successfully connected via http by supplying the ip address instead of the domain name - http://my.ip.address, and it connects just fine over http.

After some reading, I added default_server and server_name catchall:

server {
    listen 80 default_server;
    server_name _;

but that didn't do anything.

Here is my full config if anyone can spot anything wrong or incorrect or missing?

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
  worker_connections 1024;
}

http {
  default_type application/octet-stream;

  # Nginx version disclosure
  server_tokens off;

  # Limit request body
  client_max_body_size 50M;
  client_body_buffer_size 1k;

  # upstreams for Gunicorn and frontend
  upstream backend {
    server backend:8000; 
  }

  upstream frontend {
    server frontend:5173; 
  }

  server {
    listen 80 default_server;
    server_name _;

    # Redirect HTTP to HTTPS
    location / {
      return 301 https://$host$request_uri;
    }

    # Serve the Certbot challenge
    location /.well-known/acme-challenge/ {
      root /var/lib/letsencrypt;
    }

  }

  server {
    listen 443 ssl;
    server_name www.mydomainname.co.uk mydomainname.co.uk;

    # SSL config
    ssl_certificate /etc/letsencrypt/live/www.mydomainname.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.mydomainname.co.uk/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:T ...
    ssl_prefer_server_ciphers on;

    # Serve static 
    location /static/ {
      include /etc/nginx/mime.types;
      alias /usr/src/app/static/;
      expires 1d;
      add_header Cache-Control "public";
    }

    # Proxy requests to Gunicorn
    location /api {
      proxy_pass http://backend;
      proxy_http_version 1.1;
      proxy_redirect off;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Host $server_name;
    }

    location /admin {
      proxy_pass http://backend;
      proxy_http_version 1.1;
      proxy_redirect off;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Host $server_name;
    }

    # Proxy requests to frontend
    location / {
      proxy_pass http://frontend;
      proxy_http_version 1.1;
      proxy_redirect off;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Host $server_name;
    }
  }
}
no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here