Welcome! Log In Create A New Profile

Advanced

Re: [PATCH] better constrain IP-literal validation in ngx_http_validate_host()

Terence Honles
December 24, 2018 05:12PM
I'll double check the configuration we have when I get back
into work next year, but until then have a Merry Christmas /
Happy holidays!

-Terence

On Mon, Dec 24, 2018, 13:47 Terence Honles <terence@honles.com wrote:

> Yes, the regex will fail for IPv future literals, but I don't believe they
> are
> being used in practice. When they are, I'm sure the Django project will
> welcome the change to the RegEx.
>
> As for the configuration you proposed, we are already using that (with a
> 444
> instead of 404), but the IP literal will still pass through because it is a
> valid match (but an invalid hostname according to RFC 3986).
>
> -Terence
>
> On Mon, Dec 24, 2018 at 4:58 AM Maxim Dounin <mdounin@mdounin.ru> wrote:
> >
> > Hello!
> >
> > On Fri, Dec 21, 2018 at 11:59:27AM -0800, Terence Honles wrote:
> >
> > > The reason I came across this code was I have NGINX handling HTTPS, and
> > > proxying to Django via uWSGI. Django has the following RegEx [1]_.
> Which is is
> > > compliant with the IPv6 literal notation, but causes Django to report
> an
> > > error.
> >
> > Well, as far as I see the regex in question will also report an
> > error for perfectly valid IPvFuture literals.
> >
> > > While I agree, there may not be an issue of security; Any down stream
> systems
> > > may be confused and unable to handle a malformed hostname.
> >
> > If you want to prevent such names from hitting your backend
> > servers, a better solution might be to configure nginx to only
> > accept explicitly configured host names (including IP literals).
> > This is more or less trivial to configure and something you
> > probably should do anyway unless you are still supporting
> > pre-Host-header clients. E.g.:
> >
> > server {
> > listen 80 default;
> > return 404;
> > }
> >
> > server {
> > listen 80;
> > server_name example.com;
> > ...
> > }
> >
> > > Another alternative would be to rewrite the hostname to not
> > > include the "[" and "]" if it is not a valid IPv6 literal,
> >
> > Well, this _will_ be a security issue, since it can easily result
> > in different processing of names in nginx and backends.
> >
> > --
> > Maxim Dounin
> > http://mdounin.ru/
> > _______________________________________________
> > nginx-devel mailing list
> > nginx-devel@nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx-devel
> >
>
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] better constrain IP-literal validation in ngx_http_validate_host()

Terence Honles 201 December 16, 2018 10:20PM

Re: [PATCH] better constrain IP-literal validation in ngx_http_validate_host()

Maxim Dounin 52 December 17, 2018 11:18AM

Re: [PATCH] better constrain IP-literal validation in ngx_http_validate_host()

Terence Honles 52 December 21, 2018 03:00PM

Re: [PATCH] better constrain IP-literal validation in ngx_http_validate_host()

Maxim Dounin 66 December 24, 2018 08:00AM

Re: [PATCH] better constrain IP-literal validation in ngx_http_validate_host()

Terence Honles 51 December 24, 2018 04:48PM

Re: [PATCH] better constrain IP-literal validation in ngx_http_validate_host()

Terence Honles 52 December 24, 2018 05:12PM

Re: [PATCH] better constrain IP-literal validation in ngx_http_validate_host()

Maxim Dounin 68 December 25, 2018 10:44AM

Re: [PATCH] better constrain IP-literal validation in ngx_http_validate_host()

Terence Honles 42 February 25, 2019 03:48PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 128
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready