Welcome! Log In Create A New Profile

Advanced

Should nginx' default shipped fastcgi_param file updated to mitigate httpoxy?

Previous Message Next Message
Forum List Message List New Topic Print View
Thomas Deutschmann
July 19, 2016 09:50AM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

I am proxy maintaining the nginx package on Gentoo.

Regarding the recent "httpoxy" problem (you already published a blog
posting [1] with instructions how to mitigate the problem) we are
unsure if we should update our package to ship your mitigation per
default, i.e. altering your "fastcgi_param" file and add

> fastcgi_param HTTP_PROXY "";

This would protect default configurations. However some setups might
require a proxy which could break when fastcgi_param file will be
sourced after user's configuration.


- From my point of view this is a user education problem: If they know
what they are doing they won't have to do anything: They should be
fine already or at least will set their required values *after*
sourcing the default fastcgi_param file.

For Gentoo we would use our elog and/or news system to tell the user
about the changes.


However we want to know if you, upstream, are going to change the
default shipped fastcgi_param file (don't forget the .conf file) with
the next upcoming release to include a "safer" default configuration
as well or if there are reasons not to ship such a default and maybe
you recommend us also to do nothing.

Thanks.


[1]
https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-ngi
nx/


- --
Regards,
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1

iQJ8BAEBCgBmBQJXji+LXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzM0M1ODQ4MkM0MDIyOTJEMkUzQzVDMDY5
NzA5RjkwQzNDOTZGRkM4AAoJEJcJ+Qw8lv/IIFMQAIl3gyTbLRVnX22RPrQcV/Be
NI5WSp+hd+D2DMSxunf5Rljedt2Yw7ODCtq3GCF3bC0xDMuMwsyHzxlUtvhUYqz1
PYz8n/b/76ba/rN0mMu3HWiCBbvnJ+gFd0QMNL8vP4ucabqYyPteTYN7ksSROh6C
hDej3VFDYYQsTHLhG8E8q4l9FcxEuOFnOK4H1B1aR9ti+juwysALbXa8rHx5JgYU
mgYbJvajB59gf6ks5VhN3HKHxZLdpvL8fPHwQw+pQIEpKRG5Qe11bOzRmsqQ7zvo
UagfvkIUHtBMnj5HH9mHGHY/Y1CVVWLwD81mC1kDpvJzlaKBhWPGm4a1g4Lnm+B4
sm5xQXF2s21mdp+PTB2qn6AujC5Lh4WPcHM0ZhJ4HTo15L0Z/4sbt/dh6s99I6Va
1G1YXDzZSUB9N777YYjIslNKXGFHM1oBx2UsChVo40PnvmQidZKJ1z9n0cOaiUVd
IRM1DAL6FCNCrPpPhgRKVs+VfJoNwCndD47zLhhy2xGvJUbUr9i3u6pF9THf3Nhp
LCaIQunB1r01QY0aUJT3WK6NfFcdyXy8SCtrTT8PWa/cNLCZ0yCe4DYLczgnby9F
dyTHXg8BjP/o+kQHl4e+Z7tEuAmmRgQ/BUehWyJppp/VuCVfILBfthquO++ItGCP
Z4yj87/isys7QInSO7I1
=H+YL
-----END PGP SIGNATURE-----

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Reply Quote
RSS
Subject Author Views Posted

Should nginx' default shipped fastcgi_param file updated to mitigate httpoxy?

Thomas Deutschmann 701 July 19, 2016 09:50AM

Re: Should nginx' default shipped fastcgi_param file updated to mitigate httpoxy?

Maxim Dounin 517 July 19, 2016 10:26AM

Re: Should nginx' default shipped fastcgi_param file updated to mitigate httpoxy?

Thomas Deutschmann 266 August 09, 2016 06:12PM

Re: Should nginx' default shipped fastcgi_param file updated to mitigate httpoxy?

Valentin V. Bartenev 320 August 10, 2016 05:02AM

Re: Should nginx' default shipped fastcgi_param file updated to mitigate httpoxy?

Thomas Deutschmann 258 August 10, 2016 09:32AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

rags.mpl@gmail.com
Guests: 183
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready