Welcome! Log In Create A New Profile

Advanced

Re: Nginx allowed characters inside full URL / URI and ARGS

July 14, 2017 07:56PM
I took the opposite approach. You put a funny character in the URL, you get a 444.  I only allow underscore and hypen.

For a while, I was getting fuzzed. Maybe a year ago it was a thing. ‎Nothing bad happened, which I would say is a tribute to Nginx. I just returned 404s, but I figured I better trap this behavior before my luck runs out.
 


  Original Message  
From: c0nw0nk
Sent: Friday, July 14, 2017 12:58 PM
To: nginx@nginx.org
Reply To: nginx@nginx.org
Subject: Nginx allowed characters inside full URL / URI and ARGS

So I have been using Lua to iron out a few dilemmas and problems lately.

Does anyone know what characters Nginx accepts inside URL's

I am achieving a higher cache HIT ratio by modifying the URL's with Lua but
it also helps in preventing unwanted forms of DoS.

Here is my code :

local function fix_url(str)
return str:gsub("[+/=]", {["+"] = "+", ["/"] = "/", ["="] = "="})
--Needs some regex to remove multiple occurances of characters
end

ngx.var.modified_url = fix_url(ngx.var.request_uri) --Remove UN-wanted
duplicated characters that users are trying to bypass cache with.

ngx.var.modified_url = string.lower(ngx.var.modified_url) --make all
lowercase to further increase cache HIT ratio


Now what I need to do is to introduce some regex to my gsub string in order
to remove multiple occurrences of those characters.

Example :

Good Link :
/index.php?page=about

Bad Link :
///InDex.PhP????PaGe===AboUt

You will notice that the good link is very friendly where as the Bad Link
will have the same contents served as the good link but is incredibly
dynamic and bypasses the cache each time. (What is how people are launching
their DoS attacks)

Any help on this little project would be fantastic :)

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275500,275500#msg-275500

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Nginx allowed characters inside full URL / URI and ARGS

c0nw0nk July 14, 2017 03:57PM

Re: Nginx allowed characters inside full URL / URI and ARGS

gariac July 14, 2017 07:56PM

Re: Nginx allowed characters inside full URL / URI and ARGS

c0nw0nk July 15, 2017 05:56AM

Re: Nginx allowed characters inside full URL / URI and ARGS

itpp2012 July 15, 2017 06:12AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 155
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready