From bb5c94ec2c8c4955a3fd21bd1c460601889d749d Mon Sep 17 00:00:00 2001
From: Leyla Becker <git@jan-leila.com>
Date: Mon, 27 Oct 2025 00:53:59 -0500
Subject: [PATCH] feat: added catch all route to reverse proxy that blocks
 connections on non specified hosts

---
 .../server/reverseProxy/reverseProxy.nix      | 20 ++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/modules/nixos-modules/server/reverseProxy/reverseProxy.nix b/modules/nixos-modules/server/reverseProxy/reverseProxy.nix
index 5b8357f..eecc9bf 100644
--- a/modules/nixos-modules/server/reverseProxy/reverseProxy.nix
+++ b/modules/nixos-modules/server/reverseProxy/reverseProxy.nix
@@ -6,6 +6,11 @@
   options.services.reverseProxy = {
     enable = lib.mkEnableOption "turn on the reverse proxy";
     openFirewall = lib.mkEnableOption "open the firewall";
+    refuseUnmatchedDomains = lib.mkOption {
+      type = lib.types.bool;
+      description = "refuse connections for domains that don't match any configured virtual hosts";
+      default = true;
+    };
     ports = {
       http = lib.mkOption {
         type = lib.types.port;
@@ -96,7 +101,20 @@
       services.nginx = {
         enable = true;
         virtualHosts = lib.mkMerge (
-          lib.lists.flatten (
+          (lib.optionals config.services.reverseProxy.refuseUnmatchedDomains [
+            {
+              "_" = {
+                default = true;
+                serverName = "_";
+                locations."/" = {
+                  extraConfig = ''
+                    return 444;
+                  '';
+                };
+              };
+            }
+          ])
+          ++ lib.lists.flatten (
             lib.attrsets.mapAttrsToList (
               name: service: let
                 hostConfig = {