feat(nginx): prevent other subdomains from being acccessed

2025-06-11 20:57:53 +08:00 · 2025-06-11 20:57:53 +08:00 · e4b260ada1
commit e4b260ada1
parent 97746093ed
1 changed files with 20 additions and 11 deletions
--- a/modules/nixos/server/web-servers/default.nix
+++ b/modules/nixos/server/web-servers/default.nix
@ -1,6 +1,18 @@
 { config, lib, ... }:
 let
  cfg = config.server.web-servers;
+  proxyPasses = builtins.listToAttrs (
+    builtins.map (proxy: {
+      name = proxy.source;
+      value = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = proxy.target;
+        } // proxy.extraConfig;
+      };
+    }) cfg.nginx.proxies
+  );
 in
 {
  options.server.web-servers = {
@ -45,18 +57,15 @@ in
      ];
      services.nginx = {
        enable = true;
-        virtualHosts = builtins.listToAttrs (
-          builtins.map (proxy: {
-            name = proxy.source;
-            value = {
-              forceSSL = true;
-              enableACME = true;
-              locations."/" = {
-                proxyPass = proxy.target;
-              } // proxy.extraConfig;
+        virtualHosts = {
+          "_" = {
+            default = true;
+            rejectSSL = true;
+            locations."/" = {
+              return = "444";
            };
-          }) cfg.nginx.proxies
-        );
+          };
+        } // proxyPasses;
      };
    })
  ];