Hello, error 403 means that the location exists and access is not allowed while 404 means that the location does not exist. Based on this, with mostly default settings, it is (in theory) possible to determine the directory structure below the document root via guessing or dictionary attack. This may or may not be considered a security risk (what do you think?). I know that there are ways to make nginx return 404 for specific locations, including directories. In am wondering, however, if there is a neat approach making nginx return 404 generally for each directory that - has not explicitly enabled autoindex and - contains no 'index' file (HttpIndexModule) Thanks, Jan-Philip
on 2013-01-18 13:22
on 2013-01-21 01:55
Hello! On Fri, Jan 18, 2013 at 01:21:44PM +0100, Jan-Philip Gehrcke wrote: > Hello, > > error 403 means that the location exists and access is not allowed > while 404 means that the location does not exist. > > Based on this, with mostly default settings, it is (in theory) > possible to determine the directory structure below the document > root via guessing or dictionary attack. This may or may not be > considered a security risk (what do you think?). It is always possible to determine all files available under document root as long as you have enough time or luck. Directories are just special case of files which return directory listing if they are requested with traling slash and listing is allowed. > I know that there are ways to make nginx return 404 for specific > locations, including directories. In am wondering, however, if there > is a neat approach making nginx return 404 generally for each > directory that > - has not explicitly enabled autoindex and > - contains no 'index' file (HttpIndexModule) Simple solution would be to redefine 403 to be 404, something like error_page 404 = /error/403; location = /error/403 { return 404; } Note though, that it will be still possible to find out there is a directory, as on request without trailing slash a 301 redirect will be returned with trailing slash added. (You may use similar aproach to override 301 redirects as well, but it will as well affect directories with autoindex enabled/index files present, resulting in bad user experience.) -- Maxim Dounin http://nginx.com/support.html
Enable email notification
Enable multi-page viewPlease log in before posting. Registration is free and takes only a minute.
Existing account
(Switch to SSL-encrypted connection)
NEW: Do you have a Google/GoogleMail or Yahoo account? No registration required!
Log in with Google account | Log in with Yahoo account
Log in with Google account | Log in with Yahoo account
No account? Register here.