I have already added the following the following to my nginx config to deal with spoofed domains:
if ($host !~* ^(.*example.org|\d+\.\d+\.\d+\.\d+)$ ) {
return 444;
}
Right now it whitelists IP addresses since I need to accept them for certain requests.
This is behind an AWS ELB, so it needs to respond to an IP address as well.
Ideally I'd like it to only accept its own public and its own private IP address. However, I don't want to hard code this into the configuration as these are AWS instances.
So I guess I'm wondering if anyone has come up with a solution for blocking spoofed host headers that specifically limits to the desired IPs.
Best idea I can come up with is a script that generates the config files, adding in the correct IPs at startup, and then copying them over to the nginx config folder. But I feel like there must be a more elegant solution that doesn't require me to write a startup script.
The why
Since someone asked why I want to do this, I have basically two goals:
- eliminate the Django errors I receive as a result of HOST_HEADER SuspiciousOperation errors
- prevent bots (which make up 99.9% of these spoof requests) from even reaching my web app layer.