How to stop domains from pointing to my server IP address and duplicating my site using nginx

To improve security, prevent host header attacks, and preserve your search rankings, here is what I recommend:

No default site

Simply drop all traffic not matching your genuine website. Before using the below config, execute the following example command on your server to generate self-signed "dummy" certificates which are necessary for responding to HTTPS requests.

mkdir /etc/ssl/dummy && openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/ssl/dummy/dummy.key -out /etc/ssl/dummy/dummy.crt

Now use the following two server blocks for your default site configuration.

server {
    listen [::]:80 default_server;
    listen      80 default_server;
    return 444;
}

server {
    listen     [::]:443 ssl http2 default_server;
    listen          443 ssl http2 default_server;
    ssl_certificate           /etc/ssl/dummy/dummy.crt;
    ssl_certificate_key       /etc/ssl/dummy/dummy.key;
    return 444;
}

Reload Nginx and it will drop all the copycat site connections.

Prevent framing

Somewhere in your genuine site's server block, add the following header to prevent someone embedding your site as a frame / iframe at their domain name.

add_header X-Frame-Options "SAMEORIGIN";

Canonical URLs

In the <head> section of every page, add a canonical URL link element. If every page has something like <link rel="canonical" href="https://www.your-site.com/your-page/"> then even if someone copies your site at their domain name, search engines recognise your site as the original.


It looks to me like your server is set up to redirect to HTTPS, which causes a certificate mismatch error when a visitor tries to load one of these other domains that's pointing at your IP. This is a good thing, as reputable browsers and crawlers will see the certificate mismatch and know not to "count" the content in favor of the other domains, or in the case of a browser a warning page will be shown. You should already not have to worry about any crawler issues.

If you want to take this a step further, consider configuring your server to redirect all visitors directly to your own domain. Then, whoever visits those domains will be seamlessly redirected to your own domain. This makes it even more of a "them" problem.

A default virtual server something like this could work, since you have your question tagged nginx:

server {
    listen 80 default_server;
    server_name _;

    return 301 https://droidmaze.com$request_uri;
}

Tags:

Nginx

Ubuntu

Wordpress

Related

In 2020, are browserconfig.xml and ieconfig.xml now effectively deprecated? Would it help SEO to put only keywords inside header tags and style other text beside it to look like part of the header? How the name server is resolved if its from the same domain? Special characters from ISO-8859-1 encode website come out mangled (�) in Google search results IP ADDRESS request vs. DOMAIN NAME request? Do I need an XML sitemap for just a few images and videos? Does Google index hidden pages based on direct visits on Chrome? I'm using a public device vs Keep me signed in Should I replace fillable PDFs? What should I do about spammy backlinks from suspect websites reported in Search Engine Console? Do browsers send different HTTP headers on page reload so that server side caches can be flushed? How do shared hosting providers know you own a domain when you point the DNS to their server?

Recent Posts