Welcome! Log In Create A New Profile

Advanced

Re: Minor "bug" in nginx

Maxim Dounin
April 29, 2009 06:01PM
Hello!

On Wed, Apr 29, 2009 at 01:17:20PM -0700, Michael Shadle wrote:

> This is not really a 'bug' I think, but it is something that raises a
> security flag, we got dinged on it. Now, it does not appear to
> actually execute the proxy request, but it should return something
> other than HTTP 200.
>
> [mike@lvs01 ~]$ telnet test.foo.org 80
> Trying 1.2.3.4...
> Connected to test.foo.org.
> Escape character is '^]'.
> GET http://xmike.com HTTP/1.1
> Host: xmike.com
>
> HTTP/1.1 200 OK
> Server: nginx
> Date: Wed, 29 Apr 2009 20:08:16 GMT
> Content-Type: text/html; charset=utf-8
> Content-Length: 27
> Last-Modified: Tue, 09 Dec 2008 19:54:37 GMT
> Connection: keep-alive
> Accept-Ranges: bytes
>
> <html><body></body></html>
>
> ^]
> telnet> quit
>
>
> I don't believe nginx should allow for GET http://someforeignhost/
> should it? Is there an actual use model for this?

It MUST per RFC2616. There is no difference between

GET http://example.com/ HTTP/1.1
Host: ignored

and

GET / HTTP/1.1
Host: example.com

See RFC2616 for details (5.2 The Resource Identified by a Request).

And there is no such thing as "someforeignhost". Any request for
any host received by nginx will be served at least in default
server for the listen socket in question, see docs for details.
It's up to you to configure nginx to return something other than
200 for hosts not explicitly configured, e.g.:

server {
listen 80 default;
server_name_in_redirect off;

return 404;
}

server {
listen 80;
server_name one.example.com;

...
}

In the above configuration requests for one.example.com will be
served as usual, while anything other will return 404 error.

Maxim Dounin
Subject Author Posted

Minor "bug" in nginx

mike April 29, 2009 04:17PM

Re: Minor "bug" in nginx

Maxim Dounin April 29, 2009 06:01PM

Re: Minor "bug" in nginx

mike April 29, 2009 06:57PM

Re: Minor "bug" in nginx

mike April 29, 2009 08:23PM

Re: Minor "bug" in nginx

Igor Sysoev April 30, 2009 12:50AM

Re: Minor "bug" in nginx

Maxim Dounin April 29, 2009 08:13PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 63
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready