Welcome! Log In Create A New Profile

Advanced

Re: proxy_pass redirect for address without trailing slash disregards Host port

Jeffrey 'jf' Lim
August 24, 2019 10:02AM
On Sat, Aug 24, 2019 at 9:32 PM Jeffrey 'jf' Lim <jfs.world@gmail.com> wrote:
>
> On Sat, Aug 24, 2019 at 5:18 PM Nuno Gonçalves <nunojpg@gmail.com> wrote:
> >
> > On Sat, Aug 24, 2019 at 8:24 AM Jeffrey 'jf' Lim <jfs.world@gmail.com> wrote:
> > >
> > > The host is defined by the server, surely, and not by what the client tells the server it is? And you tell the server what host it is by the server_name directive (https://nginx.org/en/docs/http/ngx_http_core_module.html#server_name).
> >
> > That's not correct, the server is taking the Host domain part from the
> > client Host header. It's just not taking the port part.
> >
> > This inconsistency is why I believe it's a bug.
> >
> > For my exact case it was enough to set "absolute_redirect off;", since
> > only the absolute redirect is affected by this issue.
> >
>
> ok this is interesting. I see "port_in_redirect" as well
> (https://nginx.org/en/docs/http/ngx_http_core_module.html#port_in_redirect)
> as well, but from my testing (you can also verify this in the source)
> the port here would refer to the port *as specified by the server*
> (specifically the listen directive), and NOT as specified by the
> client in the Host header. The exception to 'port_in_redirect on'
> would be if the server is listening at the standard 80; you will not
> see ':80' in your redirect (i.e. no "Location:
> http://example.com:80/abcd/")
>

Sorry; actually browsing the source, and to be more specific: if SSL
*and* port 443, ':443' is not specified as well (makes sense!). If
http *and* port 80, ':80' is similarly not specified in the Location
(https://trac.nginx.org/nginx/browser/nginx/src/http/ngx_http_header_filter_module.c#L354).

You can also see from the code just above that that the port in the
Location (if any, as mentioned) is taken from the actual connection of
the server (which would be the actual port that the server took this
request at, as opposed to the port that the client is reporting).

Is this a bug? well I would say that this will only have an effect
when you have nginx behind a proxy (in your example, listening at
:8080), as opposed to hitting nginx directly with your client. I
imagine that the code was written from the perspective that you should
be hitting nginx directly (I'll leave Igor or somebody from the nginx
team to have the final word on this). While I see no security risks
redirecting based on the port that a client gives, I'm not so sure I
welcome this. But feel free to propose a directive if you want, I
guess.

-jf


> When you say that "only the absolute redirect is affected by this
> issue", I assume you mean that absolute redirects are affected
> *because* they specify the hostname (and indirectly, the port), vs
> relative redirects don't?
>
> -jf
>
>
> > Thanks,
> > Nuno
> >
> > >
> > > -jf
> > >
> > > On Sat, 24 Aug 2019, 01:39 Nuno Gonçalves, <nunojpg@gmail.com> wrote:
> > >>
> > >> I am using proxy_pass and I'm facing a issue which I'm not sure it's a bug.
> > >>
> > >> It is in regard to the behaviour specified by the documentation [1]:
> > >>
> > >> If a location is defined by a prefix string that ends with the slash
> > >> character, and requests are processed by one of proxy_pass,
> > >> fastcgi_pass, uwsgi_pass, scgi_pass, memcached_pass, or grpc_pass,
> > >> then the special processing is performed. In response to a request
> > >> with URI equal to this string, but without the trailing slash, a
> > >> permanent redirect with the code 301 will be returned to the requested
> > >> URI with the slash appended. If this is not desired, an exact match of
> > >> the URI and location could be defined like this:
> > >>
> > >> Consider that there is a proxy pass for location /abcd/ { proxy_pass
> > >> ... } for a server listening on port 80.
> > >>
> > >> If I make a request for /abcd with Host header "example.com:8080",
> > >> then I receive a 301 for example.com/abcd/ and not for the expected
> > >> example.com:8080/abcd/.
> > >>
> > >> In fact NGINX is considering the Host header domain part, but
> > >> disregarding the port part.
> > >>
> > >> I believe this is a bug.
> > >>
> > >> Thanks,
> > >> Nuno
> > >>
> > >> [1] http://nginx.org/en/docs/http/ngx_http_core_module.html
> > >> _______________________________________________
> > >> nginx mailing list
> > >> nginx@nginx.org
> > >> http://mailman.nginx.org/mailman/listinfo/nginx
> > >
> > > _______________________________________________
> > > nginx mailing list
> > > nginx@nginx.org
> > > http://mailman.nginx.org/mailman/listinfo/nginx
> > _______________________________________________
> > nginx mailing list
> > nginx@nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

proxy_pass redirect for address without trailing slash disregards Host port

Nuno Gonçalves August 23, 2019 01:40PM

Re: proxy_pass redirect for address without trailing slash disregards Host port

Jeffrey 'jf' Lim August 24, 2019 02:24AM

Re: proxy_pass redirect for address without trailing slash disregards Host port

Nuno Gonçalves August 24, 2019 05:18AM

Re: proxy_pass redirect for address without trailing slash disregards Host port

Jeffrey 'jf' Lim August 24, 2019 09:34AM

Re: proxy_pass redirect for address without trailing slash disregards Host port

Nuno Gonçalves August 24, 2019 09:36AM

Re: proxy_pass redirect for address without trailing slash disregards Host port

Jeffrey 'jf' Lim August 24, 2019 10:02AM

Re: proxy_pass redirect for address without trailing slash disregards Host port

Francis Daly August 30, 2019 03:46PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 104
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready