From f8de5f317fc177c3754e5d1e5616982f94457023 Mon Sep 17 00:00:00 2001
From: reidlab <reidlab325@gmail.com>
Date: Fri, 21 Jun 2024 22:53:37 -0700
Subject: [PATCH] prevent hostless access

---
 modules/services/nginx-conf.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/services/nginx-conf.nix b/modules/services/nginx-conf.nix
index 7692c34..2a92d9a 100755
--- a/modules/services/nginx-conf.nix
+++ b/modules/services/nginx-conf.nix
@@ -107,6 +107,14 @@ in {
         ${realIpsFromList cfipv6}
         real_ip_header CF-Connecting-IP;
       '';
+
+      # prevent leaking domain through direct ip access or no host
+      # generally a good idea to keep this
+      virtualHosts."_"= {
+        default = true;
+        rejectSSL = true;
+        locations."/".return = 444;
+      };
     };
 
     networking.firewall.allowedTCPPorts = [ 443 80 ];