How to stop domains from pointing to my server IP address and duplicating my site using nginx

Question

I recently created an Ubuntu server and installed LEMP stack after which I hosted my website on the server using WordPress.

But after sometime, I notices some domains ranking in Google and loading my website.

Is there any way through which I can stop them from doing this?

Previously, I never faced such issue.

For reference: My main domain: https://droidmaze.com

Other domains (not mine) pointing to my server I.P.:

http://tirtadji.com/
http://www.pisonlifetree.com

I am concerned that this can penalize my website for duplicate content.

Answer 1

To improve security, prevent host header attacks, and preserve your search rankings, here is what I recommend:

No default site

Simply drop all traffic not matching your genuine website. Before using the below config, execute the following example command on your server to generate self-signed "dummy" certificates which are necessary for responding to HTTPS requests.

mkdir /etc/ssl/dummy && openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/ssl/dummy/dummy.key -out /etc/ssl/dummy/dummy.crt

Now use the following two server blocks for your default site configuration.

server {
    listen [::]:80 default_server;
    listen      80 default_server;
    return 444;
}
server {
    listen     [::]:443 ssl http2 default_server;
    listen          443 ssl http2 default_server;
    ssl_certificate           /etc/ssl/dummy/dummy.crt;
    ssl_certificate_key       /etc/ssl/dummy/dummy.key;
    return 444;
}

Reload Nginx and it will drop all the copycat site connections.

Prevent framing

Somewhere in your genuine site's server block, add the following header to prevent someone embedding your site as a frame / iframe at their domain name.

add_header X-Frame-Options "SAMEORIGIN";

Canonical URLs

In the <head> section of every page, add a canonical URL link element. If every page has something like <link rel="canonical" href="https://www.your-site.com/your-page/"> then even if someone copies your site at their domain name, search engines recognise your site as the original.

Answer 2

It looks to me like your server is set up to redirect to HTTPS, which causes a certificate mismatch error when a visitor tries to load one of these other domains that's pointing at your IP. This is a good thing, as reputable browsers and crawlers will see the certificate mismatch and know not to "count" the content in favor of the other domains, or in the case of a browser a warning page will be shown. You should already not have to worry about any crawler issues.

---

If you want to take this a step further, consider configuring your server to redirect all visitors directly to your own domain. Then, whoever visits those domains will be seamlessly redirected to your own domain. This makes it even more of a "them" problem.

A default virtual server something like this could work, since you have your question tagged nginx:

server {
    listen 80 default_server;
    server_name _;
return 301 https://droidmaze.com$request_uri;

}

Answer 3

If you are familliar with php and feels comfortable editing files then adding a custom a code in index.php will do the trick just fine.

here what i should use in my index.php file after php open tag(<?php) ofcourse replace mydomain.tld to your real domain name.

if (!isset($_SERVER['HTTP_HOST']) != 'mydomain.tld')die("Domain not authorised");

Refer here https://stackoverflow.com/a/1459794/14214571 for another code example.

Answer 4

I had this problem. Some sc###ag was my DNS for their server, there was a real danger visitors might attempt to sign in or sign up. I added the following NGINX rule, right at the bottom of the server section. The rule checks to ensure that the domain making the request is "my" domain - if it's not then it redirect the user to the correct domain.

Sure, it's a bit blunt but it worked a treat.

if ($http_host != 'my-domain-name.com'){
            return 301 https://my-domain-name.com;
            }  

I also followed the recommendations on this page: https://www.marksayson.com/blog/setting_http_security_headers_in_rails/