Forum: NGINX Minor "bug" in nginx

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
F5a6ed477b109fe6acc11a5a8f87e7e8?d=identicon&s=25 Michael Shadle (Guest)
on 2009-04-29 22:26
(Received via mailing list)
This is not really a 'bug' I think, but it is something that raises a
security flag, we got dinged on it. Now, it does not appear to
actually execute the proxy request, but it should return something
other than HTTP 200.

[mike@lvs01 ~]$ telnet test.foo.org 80
Trying 1.2.3.4...
Connected to test.foo.org.
Escape character is '^]'.
GET http://xmike.com HTTP/1.1
Host: xmike.com

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 29 Apr 2009 20:08:16 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 27
Last-Modified: Tue, 09 Dec 2008 19:54:37 GMT
Connection: keep-alive
Accept-Ranges: bytes

<html><body></body></html>

^]
telnet> quit


I don't believe nginx should allow for GET http://someforeignhost/
should it? Is there an actual use model for this?

If so, I would create a configuration parameter to allow remote
connections, or something. Returning an HTTP error with something back
such as:

510 Not Extended
503 Service Unavailable
501 Not Implemented
416 Requested Range Not Satisfiable
415 Unsupported Media Type
406 Not Acceptable
405 Method Not Allowed
403 Forbidden
400 Bad Request

Would be what I would suggest...
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2009-04-30 00:12
(Received via mailing list)
Hello!

On Wed, Apr 29, 2009 at 01:17:20PM -0700, Michael Shadle wrote:

> Host: xmike.com
> <html><body></body></html>
>
> ^]
> telnet> quit
>
>
> I don't believe nginx should allow for GET http://someforeignhost/
> should it? Is there an actual use model for this?

It MUST per RFC2616.  There is no difference between

GET http://example.com/ HTTP/1.1
Host: ignored

and

GET / HTTP/1.1
Host: example.com

See RFC2616 for details (5.2 The Resource Identified by a Request).

And there is no such thing as "someforeignhost".  Any request for
any host received by nginx will be served at least in default
server for the listen socket in question, see docs for details.
It's up to you to configure nginx to return something other than
200 for hosts not explicitly configured, e.g.:

    server {
        listen 80 default;
        server_name_in_redirect off;

        return 404;
    }

    server {
        listen 80;
        server_name one.example.com;

        ...
    }

In the above configuration requests for one.example.com will be
served as usual, while anything other will return 404 error.

Maxim Dounin
F5a6ed477b109fe6acc11a5a8f87e7e8?d=identicon&s=25 Michael Shadle (Guest)
on 2009-04-30 01:15
(Received via mailing list)
On Wed, Apr 29, 2009 at 3:01 PM, Maxim Dounin <mdounin@mdounin.ru>
wrote:

> See RFC2616 for details (5.2 The Resource Identified by a Request).
Okay, I see - so it is serving up HTTP 200 because I have a "catchall"
server_name _ somewhere.

I will explain this to the "security company" that did the audit of
our server, that per RFC, it should accept this kind of request, it is
the -action- that is the issue. Maybe also we just failed because I
issued an HTTP 200 instead of a 404 due to the catchall.
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2009-04-30 02:23
(Received via mailing list)
Hello!

On Wed, Apr 29, 2009 at 03:57:28PM -0700, Michael Shadle wrote:

> > Host: example.com
> >
> > See RFC2616 for details (5.2 The Resource Identified by a Request).
>
> Okay, I see - so it is serving up HTTP 200 because I have a "catchall"
> server_name _ somewhere.

No.  There is nothing special in server_name _.  It's just name.
Default server for every listen socket is *always* present - it's
either one with listen .. default or first server defined with
listen socket in question.

Maxim Dounin
F5a6ed477b109fe6acc11a5a8f87e7e8?d=identicon&s=25 Michael Shadle (Guest)
on 2009-04-30 02:30
(Received via mailing list)
isn't this the same then?

server {
 listen 80;
server_name _;
}

server {
listen 80 default;
}

if you only had one of those in your config, the fallbacks would occur
to those blocks, if they did not match any others though, right?

obviously mixing them would prefer the listen 80 default; i assume?

2009/4/29 Maxim Dounin <mdounin@mdounin.ru>:
5640e332954fc0006aea97a155ce0afd?d=identicon&s=25 Igor Sysoev (Guest)
on 2009-04-30 07:03
(Received via mailing list)
On Wed, Apr 29, 2009 at 05:23:13PM -0700, Michael Shadle wrote:

>
> if you only had one of those in your config, the fallbacks would occur
> to those blocks, if they did not match any others though, right?
>
> obviously mixing them would prefer the listen 80 default; i assume?

No, these are different things. The default server for *:80 is only

 server {
  listen 80 default;
 }

or the first server listing on *:80 if you have no "default" keyword.

The "server_name _" is just invalid and so nonexistent domain name
that will never interfere with any real name.
This topic is locked and can not be replied to.