Minor "bug" in nginx
mike503 at gmail.com
Thu Apr 30 02:57:28 MSD 2009
On Wed, Apr 29, 2009 at 3:01 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> It MUST per RFC2616. There is no difference between
> GET http://example.com/ HTTP/1.1
> Host: ignored
> GET / HTTP/1.1
> Host: example.com
> See RFC2616 for details (5.2 The Resource Identified by a Request).
Okay, I see - so it is serving up HTTP 200 because I have a "catchall"
server_name _ somewhere.
I will explain this to the "security company" that did the audit of
our server, that per RFC, it should accept this kind of request, it is
the -action- that is the issue. Maybe also we just failed because I
issued an HTTP 200 instead of a 404 due to the catchall.
More information about the nginx