How to stop requests with empty or incorrect host header

Handle domains that are not defined in the configuration using dedicated backend.

HAProxy version.

$ sudo haproxy -v
HA-Proxy version 1.8.19-1 2019/02/12
Copyright 2000-2019 Willy Tarreau <willy@haproxy.org>

Create backend dedicated to handle domains that are not defined in the configuration and set it as the default backend.

backend backend-no-match
  http-request deny deny_status 400

Sample frontend and backend configuration using this solution.

frontend web-frontend
  bind :80
  #bind :443 ssl crt /etc/ssl/cert/
  mode http
  acl is-production hdr_dom(host) -i www.example.org
  acl is-staging    hdr_dom(host) -i staging.example.org
  acl is-monitoring hdr_dom(host) -i monitoring.example.org
  use_backend backend-local-production if is-production
  use_backend backend-local-staging    if is-staging
  use_backend backend-local-monitoring if is-monitoring
  default_backend backend-no-match
backend backend-local-production
  server production-a 192.0.2.11:80
  server production-b 192.0.2.12:80
backend backend-local-staging
  server staging-a 192.0.2.21:80
backend backend-local-monitoring
  server monitoring 192.0.2.240:80
backend backend-no-match
  http-request deny deny_status 400

This configuration will immediately stop requests with empty or incorrect host header.

$ curl -H "Host: test.example.org" http://192.0.2.5
<html><body><h1>400 Bad request</h1>
Your browser sent an invalid request.
</body></html>

$ curl http://192.0.2.5
<html><body><h1>400 Bad request</h1>
Your browser sent an invalid request.
</body></html>

It is a good practice to use this type of definition as it can save you the trouble later on.