Linux系统下禁止nginx空主机头

引言：为了防止域名解析恶意指向，我们需要禁止nginx默认的空主机头，操作如下
vi /usr/local/nginx/conf/nginx.conf #配置文件
找到server，添加下面这两行：
listen 80 default; #default代表默认虚拟主机
server_name _;
例如：

server {
	listen 80 default;
	server_name _;
	return 500;   #返回500错误信息
}

还可以把这些空的流量转向到某一个网站，如下设置：

server {
	listen 80 default;
	server_name _;
	rewrite ^(.*) http://某个网址 permanent;    #页面重定向
}

对于开启了https的用户，未添加https站点的域名，也可以https访问，只是会访问默认的https网站并提示不安全、域名证书不匹配。
开启SSL后https的空主机头的设置复制内容到剪贴板代码:

server {
	listen 443 default_server;
	server_name _;
	ssl on;
	ssl_certificate 随便设置一个ssl证书;
	ssl_certificate_key 随便设置一个ssl证书的key;
	return 500;
}

还可以把这些空的流量转向到某一个网站，如下设置：

server {
	listen 443 default_server;
	server_name _;
	ssl on;
	ssl_certificate 随便设置一个ssl证书;
	ssl_certificate_key 随便设置一个ssl证书的key;
	rewrite ^(.*) http://某个网址 permanent;    #页面重定向
}

附录完整的nginx.conf

worker_processes auto;
pid /tmp/nginx.pid;

events {
  worker_connections 1024;
  use epoll;
  multi_accept on;
}

http {
  client_body_temp_path /tmp/client_body_temp;
  proxy_temp_path /tmp/proxy_temp;
  fastcgi_temp_path /tmp/fastcgi_temp;
  uwsgi_temp_path /tmp/uwsgi_temp;
  scgi_temp_path /tmp/scgi_temp;
  tcp_nodelay on;
  include /etc/nginx/conf.d/*.upstream.conf;

  # this is necessary for us to be able to disable request buffering in all cases
  proxy_http_version 1.1;

  upstream core {
    server core:8080;
  }

  upstream portal {
    server portal:8080;
  }
  
  log_format timed_combined '$remote_addr - '
    '"$request" $status $body_bytes_sent '
    '"$http_referer" "$http_user_agent" '
    '$request_time $upstream_response_time $pipe';

  access_log /dev/stdout timed_combined;

  include /etc/nginx/conf.d/*.server.conf;

  server {
    listen 8443 default;
    server_name _;
    ssl on;
    ssl_certificate /etc/cert/server.crt;
    ssl_certificate_key /etc/cert/server.key;
    rewrite ^(.*) https://harbor.wxadt.cn;    #页面重定向
  }



  server {
    listen 8443 ssl;
    server_name harbor.wxadt.cn;
    server_tokens off;
    # SSL
    ssl_certificate /etc/cert/server.crt;
    ssl_certificate_key /etc/cert/server.key;
  
    # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
    ssl_protocols TLSv1.2;
    ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
  
    # disable any limits to avoid HTTP 413 for large image uploads
    client_max_body_size 0;
  
    # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
    chunked_transfer_encoding on;

    # Add extra headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
    add_header X-Frame-Options DENY;
    add_header Content-Security-Policy "frame-ancestors 'none'";
  
    # costumized location config file can place to /etc/nginx dir with prefix harbor.https. and suffix .conf
    include /etc/nginx/conf.d/harbor.https.*.conf;

    location / {
      proxy_pass http://portal/;
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      
      # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_cookie_path / "/; HttpOnly; Secure";

      proxy_buffering off;
      proxy_request_buffering off;
    }

    location /c/ {
      proxy_pass http://core/c/;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

      # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_cookie_path / "/; Secure";

      proxy_buffering off;
      proxy_request_buffering off;
    }
  
    location /api/ {
      proxy_pass http://core/api/;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

      # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_cookie_path / "/; Secure";
      
      proxy_buffering off;
      proxy_request_buffering off;
    }

    location /chartrepo/ {
      proxy_pass http://core/chartrepo/;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

      # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_cookie_path / "/; Secure";
      
      proxy_buffering off;
      proxy_request_buffering off;
    }

    location /v1/ {
      return 404;
    }

    location /v2/ {
      proxy_pass http://core/v2/;
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      
      # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_buffering off;
      proxy_request_buffering off;
    }

    location /service/ {
      proxy_pass http://core/service/;
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      
      # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_cookie_path / "/; Secure";

      proxy_buffering off;
      proxy_request_buffering off;
    }

    location /service/notifications {
      return 404;
    }
  }