How to block not defined server_name in Nginx?

Solution 1:

It responds because you don't have a separate 'default' vhost configured. There is always a default, or fallback, vhost configured, so that nginx knows what to do in the event it gets a request of the type you've sent.

The nginx documentation provides a good description of how the server-name-to-vhost-matching is performed, but in short I'd recommend configuring a new vhost like this:

server {
  listen 80 default_server;
  root /usr/share/empty;
}

(You may have to create /usr/share/empty if it doesn't already exist)

This will simply serve an empty directory to anyone who hits your server with an unrecognized vhost name. You can get fancier with various sorts of error pages and whatnot if you like.