[PATCH] better constrain IP-literal validation in ngx_http_validate_host()

Maxim Dounin mdounin at mdounin.ru
Tue Dec 25 15:42:34 UTC 2018


On Mon, Dec 24, 2018 at 01:47:36PM -0800, Terence Honles wrote:

> Yes, the regex will fail for IPv future literals, but I don't believe they are
> being used in practice. When they are, I'm sure the Django project will
> welcome the change to the RegEx.

Sure.  The point is that there is no difference between perfectly 
valid and invalid literals.  Django will complain if it sees 
anything it doesn't understand (and that's perfectly fine, 

> As for the configuration you proposed, we are already using that (with a 444
> instead of 404), but the IP literal will still pass through because it is a
> valid match (but an invalid hostname according to RFC 3986).

With the configuration I proposed, names you haven't explicitly 
configured with the "server_name" directive will not be sent to 
backends.  And if you've explicitly configured an invalid name, I 
don't see why nginx should refuse doing what it was explicitly 
told to do.

Most likely, you've instead configured nginx to pass everything to 
Django, and this is what causes errors in your setup.  Consider 
switching to a more restricted configuration.

Happy holidays.

Maxim Dounin

More information about the nginx-devel mailing list