Hello all,
What is the best way to block un-expected submissions?
For example, I have this puzzle:
((aaa=(\d{1,8}\.)+(\d{1,8}))\&(bbb=\w{10,30})\&(ccc=\d{1,10}))
aaa is uuid, bbb is alphanumric, ccc is just numeric.
I want to have nginx validating this regex, and one more, if someone
craft
(ddd=xyz) in the submission url, it has to FAIL.
Pls, comments are welcome.
tjoseph.
on 2012-12-10 19:57
on 2012-12-10 20:28
Did I tell that I am looking into a reverse proxy situation ? No.
My mistake. I want to have a reverse proxy, that would filter the
incoming
and pass-on/reject upon the rules.
[SSL enabled web-client]=>[NGINX]=>{filtering]=>[My own custom built
HTTP application]
[SSL enabled web-client]<=[NGINX]<=[My own custom built HTTP
application]
Thanks,
tjoseph.
________________________________
From: Thomas Joseph <tjoseph1@ymail.com>
To: "nginx@nginx.org" <nginx@nginx.org>
Sent: Tuesday, 11 December 2012 12:26 AM
Subject: I want help...
Hello all,
What is the best way to block un-expected submissions?
For example, I have this puzzle:
((aaa=(\d{1,8}\.)+(\d{1,8}))\&(bbb=\w{10,30})\&(ccc=\d{1,10}))
aaa is uuid, bbb is alphanumric, ccc is just numeric.
I want to have nginx validating this regex, and one more, if someone
craft
(ddd=xyz) in the submission url, it has to FAIL.
Pls, comments are welcome.
tjoseph.
on 2012-12-14 21:19
Hello all, Want to share what I came up with. See, I have 3 key strings , say abc, pqr and xyz. And a valid submission will be https://x.y.com/?abc=1.2.3.4&pqr=asdf&xyz=123888598 abc is numeric, with . in between, and ending in digit(s), think of a uuid like 2.16.840.1.113883 pqr is only alpha, but has 2 choices, asdf or lkjh xyz is purely numeric I do not use this for anything other than reverse proxy, if the pattern matches. Here is what I come up with: location / { .... .... if ($args ~ ^((abc=(\d+\.)+(\d+))\&(pqr=(asdf|lkjh))\&(xyz=\d+))$){ proxy_pass http://127.0.0.1:890/?$1; } Still I can not limit the repetition, like (abc=(\d{3,10})). Seems nginx, does not support {}. Is that true ? Provided that I can predict if there can not be more than 64charactersfor abc how do I do it ? And what about "if is evil" Does that make sense in 1.2.6 too ?? Tell me I am wrong !! Thanks all. tjoseph. ________________________________ From: Thomas Joseph <tjoseph1@ymail.com> To: "nginx@nginx.org" <nginx@nginx.org> Sent: Tuesday, 11 December 2012 12:57 AM Subject: Re: I want help... Did I tell that I am looking into a reverse proxy situation ? No. My mistake. I want to have a reverse proxy, that would filter the incoming and pass-on/reject upon the rules. [SSL enabled web-client]=>[NGINX]=>{filtering]=>[My own custom built HTTP application] [SSL enabled web-client]<=[NGINX]<=[My own custom built HTTP application] Thanks, tjoseph. ________________________________ From: Thomas Joseph <tjoseph1@ymail.com> To: "nginx@nginx.org" <nginx@nginx.org> Sent: Tuesday, 11 December 2012 12:26 AM Subject: I want help... Hello all, What is the best way to block un-expected submissions? For example, I have this puzzle: ((aaa=(\d{1,8}\.)+(\d{1,8}))\&(bbb=\w{10,30})\&(ccc=\d{1,10})) aaa is uuid, bbb is alphanumric, ccc is just numeric. I want to have nginx validating this regex, and one more, if someone craft (ddd=xyz) in the submission url, it has to FAIL. Pls, comments are welcome. tjoseph. _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
on 2012-12-14 21:52
On Sat, Dec 15, 2012 at 04:18:55AM +0800, Thomas Joseph wrote: Hi there, it seems to me that the level of application-specific control you are looking for probably does not belong in a default nginx.conf. The back-end application is probably the right place to do these checks. You could try using one of the nginx embedded language modules, which may provide more features. Or you could try using the various $arg_* variables in a map -- http://nginx.org/r/map. > And a valid submission will be https://x.y.com/?abc=1.2.3.4&pqr=asdf&xyz=123888598 Would https://x.y.com/?abc=1.2.3.4&xyz=123888598&pqr=asdf be invalid? Unless you control the client, you probably don't control the order. > abc is numeric, with . in between, and ending in digit(s), think of a uuid like 2.16.840.1.113883 > > pqr is only alpha, but has 2 choices, asdf or lkjh > > xyz is purely numeric Untested, but something like map $arg_xyz $xyz_bad { default 1 ~ ^[0-9]+$ 0 } with similar things for "abc" and "pqr", would set variables that you could then test for. if ($xyz_bad) { return 400 "xyz is wrong" } > location / { > .... > .... > if ($args ~ ^((abc=(\d+\.)+(\d+))\&(pqr=(asdf|lkjh))\&(xyz=\d+))$){ > proxy_pass http://127.0.0.1:890/?$1; > } > > Still I can not limit the repetition, like (abc=(\d{3,10})). Seems nginx, does not support {}. Is that true ? I don't know; but it possibly depends on the regex library found at compile time. > And what about "if is evil" Don't use "if" inside "location" unless you can explain why your usage is correct. That's the rule I tend to use. Good luck with it, f -- Francis Daly francis@daoine.org
on 2012-12-14 22:58
Hi, Thanks a lot for the insight. I have checked the order of abc, pqr and xyz and nginx does not proxy_pass. It does not proxy_pass if it is ab or abcd, instead of abc. It does not even matching special characters. That is good, and it is blocking a submission with additionalparameters, like https://x.y.com/?abc=1.2.3.4&pqr=asdf&xyz=12388859... The client is typically the browser that would make ajax call from anywhere in the Internet, but I do see someone possibly crafting a payload that could confuse the app running on 127.0.0.1. Will definitely go through map and will get back. Appreciate and thanks again, Francis. tjoseph. ________________________________ From: Francis Daly <francis@daoine.org> To: nginx@nginx.org Sent: Saturday, 15 December 2012 2:21 AM Subject: Re: I want help... On Sat, Dec 15, 2012 at 04:18:55AM +0800, Thomas Joseph wrote: Hi there, it seems to me that the level of application-specific control you are looking for probably does not belong in a default nginx.conf. The back-end application is probably the right place to do these checks. You could try using one of the nginx embedded language modules, which may provide more features. Or you could try using the various $arg_* variables in a map -- http://nginx.org/r/map. > And a valid submission will be https://x.y.com/?abc=1.2.3.4&pqr=asdf&xyz=123888598 Would https://x.y.com/?abc=1.2.3.4&xyz=123888598&pqr=asdf be invalid? Unless you control the client, you probably don't control the order. > abc is numeric, with . in between, and ending in digit(s), think of a uuid like 2.16.840.1.113883 > > pqr is only alpha, but has 2 choices, asdf or lkjh > > xyz is purely numeric Untested, but something like map $arg_xyz $xyz_bad { default 1 ~ ^[0-9]+$ 0 } with similar things for "abc" and "pqr", would set variables that you could then test for. if ($xyz_bad) { return 400 "xyz is wrong" } > location / { > .... > .... > if ($args ~ ^((abc=(\d+\.)+(\d+))\&(pqr=(asdf|lkjh))\&(xyz=\d+))$){ > proxy_pass http://127.0.0.1:890/?$1; > } > > Still I can not limit the repetition, like (abc=(\d{3,10})). Seems nginx, does not support {}. Is that true ? I don't know; but it possibly depends on the regex library found at compile time. > And what about "if is evil" Don't use "if" inside "location" unless you can explain why your usage is correct. That's the rule I tend to use. Good luck with it, f -- Francis Daly francis@daoine.org
Enable email notification
Enable multi-page viewPlease log in before posting. Registration is free and takes only a minute.
Existing account
(Switch to SSL-encrypted connection)
NEW: Do you have a Google/GoogleMail or Yahoo account? No registration required!
Log in with Google account | Log in with Yahoo account
Log in with Google account | Log in with Yahoo account
No account? Register here.