From b4c0206ed3e21f034ee3fd24c4e0c2bd4a8a8f42 Mon Sep 17 00:00:00 2001
From: colthreepv <mister.gamer@gmail.com>
Date: Wed, 26 Oct 2016 15:14:13 +0200
Subject: [PATCH] added rule to close connection on invalid or not present
 hostnames, even in SSL

---
 nginx.tmpl | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/nginx.tmpl b/nginx.tmpl
index 9eb9520..639504e 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -109,6 +109,10 @@ upstream {{ $host }} {
 {{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost, falling back to "http" */}}
 {{ $proto := or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http" }}
 
+{{/* Prepare hostnames to be converted in regex */}}
+{{ $http_host := replace $host "." "\\." -1 }}
+{{ $http_host := replace $http_host "," "|" -1 }}
+
 {{/* Get the HTTPS_METHOD defined by containers w/ the same vhost, falling back to "redirect" */}}
 {{ $https_method := or (first (groupByKeys $containers "Env.HTTPS_METHOD")) "redirect" }}
 
@@ -143,6 +147,10 @@ server {
 	listen 443 ssl http2 {{ $default_server }};
 	access_log /var/log/nginx/access.log vhost;
 
+	if ( $http_host !~* ^({{ $http_host }}) ) {
+		return 444;
+	}
+
 	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
 
@@ -228,6 +236,10 @@ server {
 	access_log /var/log/nginx/access.log vhost;
 	return 500;
 
+	if ( $http_host !~* ^({{ $http_host }}) ) {
+		return 444;
+	}
+
 	ssl_certificate /etc/nginx/certs/default.crt;
 	ssl_certificate_key /etc/nginx/certs/default.key;
 }