Hello!
On Fri, Dec 21, 2018 at 11:59:27AM -0800, Terence Honles wrote:
> The reason I came across this code was I have NGINX handling HTTPS, and
> proxying to Django via uWSGI. Django has the following RegEx [1]_. Which is is
> compliant with the IPv6 literal notation, but causes Django to report an
> error.
Well, as far as I see the regex in question will also report an
error for perfectly valid IPvFuture literals.
> While I agree, there may not be an issue of security; Any down stream systems
> may be confused and unable to handle a malformed hostname.
If you want to prevent such names from hitting your backend
servers, a better solution might be to configure nginx to only
accept explicitly configured host names (including IP literals).
This is more or less trivial to configure and something you
probably should do anyway unless you are still supporting
pre-Host-header clients. E.g.:
server {
listen 80 default;
return 404;
}
server {
listen 80;
server_name example.com;
...
}
> Another alternative would be to rewrite the hostname to not
> include the "[" and "]" if it is not a valid IPv6 literal,
Well, this _will_ be a security issue, since it can easily result
in different processing of names in nginx and backends.
--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel