Disable Direct IP Address Access in Nginx on Linux

Cyrus Kao20 Jan 2022

Last modified on 23 Apr 2023 @ 05:15:05.

Nginx's server_name directive indicates the domain name it's listening on. But if none of the server blocks match the incoming request, it will still fall back to the last HTTP/HTTPS server block. So direct access by IP address will probably be caught by some route instead of being dropped, which is often not ideal.

To drop the requests by IP address, we'll be creating fallback server blocks and end the connections without sending any data.

Disable IP Access in HTTP

Create a server block with the server_name of _ to catch all requests, and add default_server to the listen directive:

server {
	server_name _;

	listen 80 default_server;
	listen [::]:80 default_server; # IPv6

	return 444; # end the connection without sending any data
}
Nginx config

Disable IP Access in HTTPS

The same goes with HTTPS. However, a little workaround is needed if you're not running Nginx v1.19.4+.

To check your Nginx version:

$ nginx -v

nginx version: nginx/1.20.2
Output

Nginx v1.19.4+

Create a HTTPS server block with the ssl_reject_handshake directive set to on, which will reject TLS/SSL handshake since we're not going to send any data in this route:

server {
	server_name _;

	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server; # IPv6

	ssl_reject_handshake on; # reject ssl handshake

	return 444; # end the connection without sending any data
}
Nginx config

Legacy Nginx

We'll be using self-signed certificate for the HTTPS server block, since Nginx will throw an error if you're not providing certificates to a server block with ssl on.

Use openssl to generate a certificate that lasts 100 years, so we won't need to renew it:

$ sudo openssl req -x509 -nodes -newkey -days 36500 rsa:4096 -keyout /etc/nginx/self_signed.key -out /etc/nginx/self_signed.crt

Change the output locations if you like.

Create a server block with the certificate:

server {
	server_name _;

	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server; # IPv6

  ssl_certificate /etc/nginx/self_signed.crt;
  ssl_certificate_key /etc/nginx/self_signed.key;

	return 444; # end the connection without sending any data
}
Nginx config

Finishing Up

Reload your Nginx's configuration:

$ sudo nginx -s reload

Comments

Auto-Renew Let's Encrypt Free Certificates for Nginx on Linux

More than 75% of all websites use HTTPS nowadays. Serving content over HTTPS is not only good practice for search engine optimization (SEO), but essential for security reasons, especially for those requests containing sensitive information.

Uninstall Nginx Completely on Debian/Ubuntu-Based Linux

This guide will cover how to completely uninstall the Nginx web server (including its dependencies, modules, configuration files and logs) on Debian/Ubuntu-based Linux distros (e.g. Linux Mint, Pop!_OS, Elementary OS). It's useful when you're trying to reinstall a clean Nginx server.

Install Latest Version of Nginx on Linux (Debian/Ubuntu)

The Nginx installed by the package manager (apt) is usually pretty outdated. Currently, v1.20.2 is the stable version of Nginx and Ubuntu LTS 20.04 (Focal) comes with version v1.18.0. Although to stay on the bleeding edge is never the goal of the Debian/Ubuntu release schedule, there are still some ways to obtain the latest version of Ngnix.

Change DNS Servers (IPv4, IPv6) on Linux

In my opinion, changing DNS servers on Linux is even easier than in Windows. As you only need to do it once and it applies to all the network interfaces. In this guide we'll be covering how to configure DNS servers on all Linux distros and prevent DNS settings from changing by other services.

Table of Contents