From 2169b044d604c473afcf82f1d114c0b0f18cb7eb Mon Sep 17 00:00:00 2001
From: Carl Meyer <carl@oddbird.net>
Date: Mon, 15 Jun 2015 16:59:34 -0600
Subject: [PATCH] Update example nginx configs to require Host match.

---
 docs/source/deploy.rst | 12 ++++++++++--
 examples/nginx.conf    | 16 ++++++++++++----
 2 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/docs/source/deploy.rst b/docs/source/deploy.rst
index e225c4a2..e59ae2e3 100644
--- a/docs/source/deploy.rst
+++ b/docs/source/deploy.rst
@@ -39,9 +39,17 @@ An `example configuration`_ file for fast clients with Nginx_::
         }
 
         server {
-            listen 80 default;
+            # If no Host match, close the connection to prevent Host spoofing
+            listen 80 default_server;
+            return 444;
+        }
+
+        server {
+            listen 80;
             client_max_body_size 4G;
-            server_name _;
+
+            # set the correct host(s) for your site
+            server_name example.com www.example.com;
 
             keepalive_timeout 5;
 
diff --git a/examples/nginx.conf b/examples/nginx.conf
index c27c8d3f..e4034043 100644
--- a/examples/nginx.conf
+++ b/examples/nginx.conf
@@ -70,12 +70,20 @@ http {
   }
 
   server {
-    # listen 80 default deferred; # for Linux
-    # listen 80 default accept_filter=httpready; # for FreeBSD
-    listen 80 default;
+    # If no Host match, close the connection to prevent Host spoofing
+    listen 80 default_server;
+    return 444;
+  }
+
+  server {
+    # listen 80 deferred; # for Linux
+    # listen 80 accept_filter=httpready; # for FreeBSD
+    listen 80;
+
+    # set the correct host(s) for your site
+    server_name example.com www.example.com;
 
     client_max_body_size 4G;
-    server_name _;
 
     # ~2 seconds is often enough for most folks to parse HTML/CSS and
     # retrieve needed images/icons/frames, connections are cheap in