How can I block requests with the wrong Host header set?
Define a default server
if you don't explicitly define a default server, nginx will implicitly use the first-found server. so, just create a server block to block unknown hosts:
server {
listen 80 default_server;
return 444;
}
(no it's not necessary to add a server_name - since it will never be a match).