Should nginx' default shipped fastcgi_param file updated to mitigate httpoxy?
whissi at whissi.de
Tue Jul 19 13:48:16 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
I am proxy maintaining the nginx package on Gentoo.
Regarding the recent "httpoxy" problem (you already published a blog
posting  with instructions how to mitigate the problem) we are
unsure if we should update our package to ship your mitigation per
default, i.e. altering your "fastcgi_param" file and add
> fastcgi_param HTTP_PROXY "";
This would protect default configurations. However some setups might
require a proxy which could break when fastcgi_param file will be
sourced after user's configuration.
- From my point of view this is a user education problem: If they know
what they are doing they won't have to do anything: They should be
fine already or at least will set their required values *after*
sourcing the default fastcgi_param file.
For Gentoo we would use our elog and/or news system to tell the user
about the changes.
However we want to know if you, upstream, are going to change the
default shipped fastcgi_param file (don't forget the .conf file) with
the next upcoming release to include a "safer" default configuration
as well or if there are reasons not to ship such a default and maybe
you recommend us also to do nothing.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1
-----END PGP SIGNATURE-----
More information about the nginx-devel