ngx_http_find_virtual_server ngx_http_regex_exec DOS
Maxim Dounin
mdounin at mdounin.ru
Wed Jan 31 03:19:52 UTC 2024
Hello!
On Tue, Jan 30, 2024 at 10:28:23AM +0200, Clima Gabriel wrote:
> Greetings fellow nginx-devs,
> It looks to me as if an attacker could force the server to use up a large
> amount of resources doing ngx_http_regex_exec if the server were to be
> configured with a relatively large number of regex server_names.
> I would appreciate any ideas on the topic, especially suggestions as to how
> some form of caching could be implemented for the responses, so that the
> server didn't have to execute the ngx_http_regex_exec on subsequent
> requests.
Not using "large number of regex server_names" might be the best
solution available here. Requests are not required to be to the
same virtual server, and caching won't generally work.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list