nginx open reverse proxy?

Somehow, and I'm not sure how, we have configured an nginx reverse proxy that is acting as an open proxy.

The log files tells us the matching requests are going against the following conf file:

map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
}

access_log      /var/log/nginx/access.p.log;
error_log       /var/log/nginx/error.p.log;

proxy_next_upstream     error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_buffers           8 32k;
proxy_buffer_size       64k;
proxy_http_version      1.1;
proxy_set_header        Host            $host;
proxy_set_header        X-Real-IP       $remote_addr;
proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect          off;
proxy_set_header        Upgrade         $http_upgrade;
proxy_set_header        Connection      $connection_upgrade;

server {
        listen          80;
        server_name     ~first.*\.second\.com;

        location / {
                resolver                172.16.1.1 172.16.1.2;
                proxy_pass              http://$host;
                proxy_read_timeout      7200s;
        }
}

server {
        listen          443;
        server_name     ~first.*\.second\.com;
        ssl             on;

        location / {
                resolver                172.16.1.1 172.16.1.2;
                proxy_pass              https://$host;
                proxy_read_timeout      7200s;
        }
}

The top-level conf file looks like this:

user nginx; worker_processes 8; pid /var/run/nginx.pid;

events { worker_connections 4096; # multi_accept on; }

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;
    gzip_disable "msie6";

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

    ##
    # nginx-naxsi config
    ##
    # Uncomment it if you installed nginx-naxsi
    ##

    #include /etc/nginx/naxsi_core.rules;

    ##
    # nginx-passenger config
    ##
    # Uncomment it if you installed nginx-passenger
    ##

    #passenger_root /usr;
    #passenger_ruby /usr/bin/ruby;

    ##

    include /etc/nginx/conf.d/*.conf;
    #include /etc/nginx/sites-enabled/*;

}

what here is causing this?

There is document on how nginx processes request. In particular that means if you have only one server block then all requests will end up there regardless off Host header.

In your case you want to process only requests that match your hosts and ignore others. So you have to declare another server block that will process all unmatched requests.

This should look something like this:

server {
    listen 80 default_server;
    listen 443 default_server;
    return 403;
    # or return 444; to just close connection without response.
}

server {
    listen 80;
    server_name ~first.*\.second\.com;
    ....
}

server {
    listen 443 ssl;
    server_name ~first.*\.second\.com;
    ....
}