Welcome! Log In Create A New Profile

Advanced

Re: Allow internal redirect to URI x, but deny external request for x?

All files from this thread

File Name File Size   Posted by Date  
smime.p7s 3.5 KB open | download j94305 09/03/2019 Read message
smime.p7s 3.5 KB open | download j94305 09/04/2019 Read message
August 31, 2019 03:20PM
Nginx does detect these traversal attacks. They come up as a 400 error. I got two yesterday. But out of paranoia, I wouldn't leave the web root. There is always some zero day.

That traversal attack was from some new to me Hong Kong hosting company and earned a place on my firewall block. Blocking just keeps the log file size down. There will be others.

https://null-byte.wonderhowto.com/how-to/perform-directory-traversal-extract-sensitive-information-0185558/

I have run dotdotpwn. Lots of false positives. It takes forever.

On nearly a daily basis, some entity gets hacked because of a misconfiguration. So I make sure I have secured the low hanging fruit. I watch file ownership and permissions. That is free. I don't have a WAF but I use Nginx maps and pattern match common hacks, given them the 444. Simple stuff like if you request some WordPress feature you get flagged because I don't run WordPress. I found a list of bad user agents on GitHub that I flag on.





  Original Message  



From: hobson42@gmail.com
Sent: August 31, 2019 7:41 AM
To: nginx@nginx.org
Reply-to: nginx@nginx.org
Subject: Re: Allow internal redirect to URI x, but deny external request for x?


Hi Mark,

On 30/08/19 22:23, lists wrote:
> I've been following this thread not really out of need but rather that it is really interesting. That said, I don't think for security you want to "escape" the web root. The risk is that might aid a traversal attack.
>
>
I am curious to know how this might work. Nginx itself is safe, so it
would have to be a script. And while those may indeed be vulnerable, is
the vulnerability changed by symlinking the root elsewhere? I don't see
any difference myself, but perhaps you know something I don't.

Regards

Ian
>
>
>
>
>
>   Original Message
>
>
>
> From: hobson42@gmail.com
> Sent: August 30, 2019 12:01 PM
> To: nginx@nginx.org
> Reply-to: nginx@nginx.org
> Subject: Re: Allow internal redirect to URI x, but deny external request for x?
>
>
> Hi Lewis,
>
> On 30/08/19 18:33, J. Lewis Muir wrote:
>> Hello!
>>
>> I'm using nginx 1.12.2 on RHEL 7, and I've got a FastCGI web app that
>> uses a deployment structure which uses an atomic symlink change for an
>> atomic app deploy, and I'm wishing to be able to do an internal redirect
>> in nginx to URL x, but deny an external request to the same URL x so
>> that I don't serve the same content at more than one URL.  Is there a
>> way to do that?
>>
> You could place the different versions away from the root so they cannot
> be obtained from the web. Then they can be served by setting up a
> symlink to the desired version.
>
> This can be changed using "ln -sfn version/dir serving/root" and then
> restarting nginx to pick up the new version.
>
> By not using redirects, this method should be more efficient.
>
> Regards
>
> Ian
>
> --
> Ian Hobson
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>

--
Ian Hobson
Tel (+351) 910 418 473
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Allow internal redirect to URI x, but deny external request for x?

J. Lewis Muir August 30, 2019 01:34PM

Re: Allow internal redirect to URI x, but deny external request for x?

J. Lewis Muir August 30, 2019 02:22PM

Re: Allow internal redirect to URI x, but deny external request for x?

J. Lewis Muir August 30, 2019 02:38PM

Re: Allow internal redirect to URI x, but deny external request for x?

J. Lewis Muir August 30, 2019 03:00PM

Re: Allow internal redirect to URI x, but deny external request for x?

Francis Daly August 30, 2019 04:56PM

Re: Allow internal redirect to URI x, but deny external request for x?

J. Lewis Muir August 30, 2019 06:00PM

Re: Allow internal redirect to URI x, but deny external request for x?

Francis Daly August 30, 2019 07:22PM

Re: Allow internal redirect to URI x, but deny external request for x?

Francis Daly August 31, 2019 03:28AM

Re: Allow internal redirect to URI x, but deny external request for x?

J. Lewis Muir August 31, 2019 11:06AM

Re: Allow internal redirect to URI x, but deny external request for x?

J. Lewis Muir August 31, 2019 10:12AM

Re: Allow internal redirect to URI x, but deny external request for x?

Francis Daly August 31, 2019 04:52PM

Re: Allow internal redirect to URI x, but deny external request for x?

J. Lewis Muir August 31, 2019 05:56PM

Re: Allow internal redirect to URI x, but deny external request for x?

Francis Daly September 02, 2019 05:04PM

Re: Allow internal redirect to URI x, but deny external request for x?

J. Lewis Muir September 03, 2019 01:28PM

Re: Allow internal redirect to URI x, but deny external request for x?

J. Lewis Muir September 03, 2019 05:32PM

Re: Allow internal redirect to URI x, but deny external request for x?

Ian Hobson August 30, 2019 03:02PM

Re: Allow internal redirect to URI x, but deny external request for x?

J. Lewis Muir August 31, 2019 11:32AM

Re: Allow internal redirect to URI x, but deny external request for x?

Francis Daly August 30, 2019 04:34PM

Re: Allow internal redirect to URI x, but deny external request for x?

gariac August 30, 2019 05:24PM

Re: Allow internal redirect to URI x, but deny external request for x?

Ian Hobson August 31, 2019 10:42AM

Re: Allow internal redirect to URI x, but deny external request for x?

j94305 August 30, 2019 06:28PM

Re: Allow internal redirect to URI x, but deny external request for x?

gariac August 31, 2019 03:20PM

Re: Allow internal redirect to URI x, but deny external request for x?

J. Lewis Muir September 03, 2019 11:30PM

Re: Allow internal redirect to URI x, but deny external request for x? Attachments

j94305 September 03, 2019 11:56PM

Re: Allow internal redirect to URI x, but deny external request for x?

J. Lewis Muir September 04, 2019 11:30AM

Re: Allow internal redirect to URI x, but deny external request for x? Attachments

j94305 September 04, 2019 11:44AM

Re: Allow internal redirect to URI x, but deny external request for x?

J. Lewis Muir September 04, 2019 12:32PM

Re: Allow internal redirect to URI x, but deny external request for x?

j94305 September 10, 2019 02:46PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 139
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready