Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings
Discussion options

szuwarek80
Sep 11, 2025 

server {
    listen 443 ssl;

    ssl_certificate /etc/nginx/conf.d/server.crt;
    ssl_certificate_key /etc/nginx/conf.d/server.key;

    server_name _;

   proxy_set_header Host $host;
}

if I call

curl --location 'https://my-host/test'

the $host is equal to my-host

however if I call

curl --location 'https://my-host/test' --header 'Host: wp.pl'

the $host is queal to wp.pl

I need to be aware of such a situation to have some special behaviour.
Am I able to find one that this happened ?
You must be logged in to vote

Replies: 1 comment · 6 replies

Comment options

HanadaLee
Sep 12, 2025 

curl --location 'https://my-host/test' -vo/dev/null
> GET /test HTTP/1.1
> Host: my-host
> user-agent: curl/7.81.0-DEV
> accept: */*

curl --location 'https://my-host/test' --header 'Host: wp.pl' -vo/dev/null
> GET /test HTTP/1.1
> Host: wp.pl
> user-agent: curl/7.81.0-DEV
> accept: */*

If you use curl to test, you will find that only the host header has domain name information, so the $host variable comes from the host header.
You must be logged in to vote
6 replies
@HanadaLee
Comment options

HanadaLee Sep 12, 2025

Ok understood. But in both cases the query landed on my server. Am I somehow able to get the host/ip that was used to initialize connection. I belive in case when the host was used I can get it by the $ssl_server_name (with SNI), but was in case if someone used to ip to access my sever?

If you don't want someone using an IP address to access your server, you can simply deny their request.

server {
listen *:80 default_server;
listen *:443 ssl default_server;
ssl_certificate xxx;
ssl_certificate_key xxx;
ssl_reject_handshake on;    # reject ssl handshake when request do not have sni or invalid sni. optional
return 403;                          # can be replace with 444 (close connection directly)
}

server {
listen *:80;
listen *:443 ssl;
ssl_certificate xxx;
ssl_certificate_key xxx;
server_name my-host;
# normal config
}
@szuwarek80
Comment options

szuwarek80 Sep 12, 2025
Author

I am trying to find out that the host header is different then the host or ip which was used when the conection was initialized.
Am I able to do it for withing the server configured with server_name _;
@HanadaLee
Comment options

HanadaLee Sep 12, 2025

I am trying to find out that the host header is different then the host or ip which was used when the conection was initialized. Am I able to do it for withing the server configured with server_name _;

yes, but you should set this server as default_server in listen directive.
@szuwarek80
Comment options

szuwarek80 Sep 12, 2025
Author

I have only this one server.
It serves all my requests.
What I want to do is return 444 for all the reqests were the host in the header was different then the host/ip used to initialize the connection.
Can you please tell me how should I extend my configuraiton to have it?

server {
    listen 443 ssl;

    ssl_certificate /etc/nginx/conf.d/server.crt;
    ssl_certificate_key /etc/nginx/conf.d/server.key;

    server_name _;

   proxy_set_header Host $host;
}
@HanadaLee
Comment options

HanadaLee Sep 12, 2025

You may have misunderstood the cause and effect. The so-called initial connection does not require a host name, but only an IP address. The process of obtaining an IP address, that is, DNS resolution, is impossible to obtain during HTTP requests. However, since you are using HTTPS, curl will write the host name in the URL into the SNI. You can use the inconsistency between the SNI and the host to determine the connection. Otherwise, you cannot obtain the so-called "host name for initial connection".
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
🙏
Q&A
Labels
None yet
2 participants
@szuwarek80 @HanadaLee
Morty Proxy This is a proxified and sanitized view of the page, visit original site.