Should nginx' default shipped fastcgi_param file updated to mitigate httpoxy?
mdounin at mdounin.ru
Tue Jul 19 14:16:55 UTC 2016
On Tue, Jul 19, 2016 at 03:48:16PM +0200, Thomas Deutschmann wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> I am proxy maintaining the nginx package on Gentoo.
> Regarding the recent "httpoxy" problem (you already published a blog
> posting  with instructions how to mitigate the problem) we are
> unsure if we should update our package to ship your mitigation per
> default, i.e. altering your "fastcgi_param" file and add
> > fastcgi_param HTTP_PROXY "";
> This would protect default configurations. However some setups might
> require a proxy which could break when fastcgi_param file will be
> sourced after user's configuration.
> - From my point of view this is a user education problem: If they know
> what they are doing they won't have to do anything: They should be
> fine already or at least will set their required values *after*
> sourcing the default fastcgi_param file.
> For Gentoo we would use our elog and/or news system to tell the user
> about the changes.
> However we want to know if you, upstream, are going to change the
> default shipped fastcgi_param file (don't forget the .conf file) with
> the next upcoming release to include a "safer" default configuration
> as well or if there are reasons not to ship such a default and maybe
> you recommend us also to do nothing.
I don't think that the default should be changed.
The problem is about improperly using the HTTP_PROXY environment
variable in CGI[-like] contexts. And this is what should be
fixed. Much like any other uses of HTTP_* environment variables.
While filtering particular headers can be effectively used as a
mitigation before all the affected uses are fixed, it doesn't
looks like a good long-term solution.
More information about the nginx-devel