From 492d6bd3f9e15a071ce26d332ac7a300c4f1f952 Mon Sep 17 00:00:00 2001
From: leic4u <32786903+leic4u@users.noreply.github.com>
Date: Sat, 15 Jun 2024 15:48:50 +0800
Subject: [PATCH] Add reject for unknown server_name to prevent malicious DNS

Add reject for unknown server_name to prevent malicious DNS
---
 resources/docker/nginx-ui.conf | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/resources/docker/nginx-ui.conf b/resources/docker/nginx-ui.conf
index ec0d062a..4eacd6e7 100644
--- a/resources/docker/nginx-ui.conf
+++ b/resources/docker/nginx-ui.conf
@@ -19,3 +19,20 @@ server {
         proxy_pass http://127.0.0.1:9000/;
     }
 }
+
+# 拒绝空主机头，防止其他域名恶意解析
+# Reject unknown server_name to prevent malicious DNS
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name _;
+    return 500;
+}
+
+server {
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+    http2 on;
+    server_name _;
+    ssl_reject_handshake on;
+}