How to stop domains from pointing to my server IP address and duplicating my site using nginx

To improve security, prevent host header attacks, and preserve your search rankings, here is what I recommend:

No default site

Simply drop all traffic not matching your genuine website. Before using the below config, execute the following example command on your server to generate self-signed "dummy" certificates which are necessary for responding to HTTPS requests.

mkdir /etc/ssl/dummy && openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/ssl/dummy/dummy.key -out /etc/ssl/dummy/dummy.crt

Now use the following two server blocks for your default site configuration.

server {
    listen [::]:80 default_server;
    listen      80 default_server;
    return 444;
}

server {
    listen     [::]:443 ssl http2 default_server;
    listen          443 ssl http2 default_server;
    ssl_certificate           /etc/ssl/dummy/dummy.crt;
    ssl_certificate_key       /etc/ssl/dummy/dummy.key;
    return 444;
}

Reload Nginx and it will drop all the copycat site connections.

Prevent framing

Somewhere in your genuine site's server block, add the following header to prevent someone embedding your site as a frame / iframe at their domain name.

add_header X-Frame-Options "SAMEORIGIN";

Canonical URLs

In the <head> section of every page, add a canonical URL link element. If every page has something like <link rel="canonical" href="https://www.your-site.com/your-page/"> then even if someone copies your site at their domain name, search engines recognise your site as the original.


It looks to me like your server is set up to redirect to HTTPS, which causes a certificate mismatch error when a visitor tries to load one of these other domains that's pointing at your IP. This is a good thing, as reputable browsers and crawlers will see the certificate mismatch and know not to "count" the content in favor of the other domains, or in the case of a browser a warning page will be shown. You should already not have to worry about any crawler issues.


If you want to take this a step further, consider configuring your server to redirect all visitors directly to your own domain. Then, whoever visits those domains will be seamlessly redirected to your own domain. This makes it even more of a "them" problem.

A default virtual server something like this could work, since you have your question tagged nginx:

server {
    listen 80 default_server;
    server_name _;

    return 301 https://droidmaze.com$request_uri;
}