feat: added catch all route to reverse proxy that blocks connections on non specified hosts

2025-10-27 00:53:59 -05:00 · 2025-10-27 00:53:59 -05:00 · bb5c94ec2c
commit bb5c94ec2c
parent 81a6588537
1 changed files with 19 additions and 1 deletions
--- a/modules/nixos-modules/server/reverseProxy/reverseProxy.nix
+++ b/modules/nixos-modules/server/reverseProxy/reverseProxy.nix
@ -6,6 +6,11 @@
  options.services.reverseProxy = {
    enable = lib.mkEnableOption "turn on the reverse proxy";
    openFirewall = lib.mkEnableOption "open the firewall";
+    refuseUnmatchedDomains = lib.mkOption {
+      type = lib.types.bool;
+      description = "refuse connections for domains that don't match any configured virtual hosts";
+      default = true;
+    };
    ports = {
      http = lib.mkOption {
        type = lib.types.port;
@ -96,7 +101,20 @@
      services.nginx = {
        enable = true;
        virtualHosts = lib.mkMerge (
-          lib.lists.flatten (
+          (lib.optionals config.services.reverseProxy.refuseUnmatchedDomains [
+            {
+              "_" = {
+                default = true;
+                serverName = "_";
+                locations."/" = {
+                  extraConfig = ''
+                    return 444;
+                  '';
+                };
+              };
+            }
+          ])
+          ++ lib.lists.flatten (
            lib.attrsets.mapAttrsToList (
              name: service: let
                hostConfig = {