<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt; "><span>Hi,</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal; "><span><br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal; "><span>Thanks a lot for the insight.</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal; "><span><br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style:
normal; "><span>I have checked the order of abc, pqr and xyz and nginx does not proxy_pass.</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal; "><span><br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal; ">It does not proxy_pass if it is ab or abcd, instead of abc.</div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal; "><br></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal; ">It does not even matching special characters. <br></div><div style="color: rgb(0, 0, 0); font-size: 16px;
font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal; "><span style="background-color: transparent; "><br></span></div><div style="background-color: transparent; "><span style="background-color: transparent; ">That is good, and it is blocking a submission with additional parameters, like</span><br></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal; "><br></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal; "><a href="https://x.y.com/?abc=1.2.3.4&pqr=asdf&xyz=123888598" target="_blank">https://x.y.com/?abc=1.2.3.4&pqr=asdf&xyz=123888598</a>&def=123<br></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: 'times new roman', 'new york',
times, serif; background-color: transparent; font-style: normal; "><br></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal; ">The client is typically the browser that would make ajax call from anywhere in the Internet, but I do</div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal; "><span style="background-color: transparent; ">see someone possibly crafting a payload that could confuse the app running on 127.0.0.1.</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal; "><br></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent;
font-style: normal; "><span style="background-color: transparent; ">W</span><span style="background-color: transparent; ">ill definitely go through map and will get back.</span><br></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal; "><span style="background-color: transparent; "><br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal; "><span style="background-color: transparent; ">Appreciate and thanks again, Francis.</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal; "><span style="background-color: transparent; "><br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: 'times new
roman', 'new york', times, serif; background-color: transparent; font-style: normal; ">tjoseph.</div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal; "><br></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal; "><span><br></span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt; "><br></div> <div style="font-size: 12pt; font-family: 'times new roman', 'new york', times, serif; "> <div style="font-size: 12pt; font-family: 'times new roman', 'new york', times, serif; "> <div dir="ltr"> <font size="2" face="Arial"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> Francis Daly <francis@daoine.org><br> <b><span style="font-weight: bold;">To:</span></b> nginx@nginx.org <br>
<b><span style="font-weight: bold;">Sent:</span></b> Saturday, 15 December 2012 2:21 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: I want help...<br> </font> </div> <br>On Sat, Dec 15, 2012 at 04:18:55AM +0800, Thomas Joseph wrote:<br><br>Hi there,<br><br>it seems to me that the level of application-specific control you are<br>looking for probably does not belong in a default nginx.conf.<br><br>The back-end application is probably the right place to do these checks.<br><br>You could try using one of the nginx embedded language modules, which<br>may provide more features.<br><br>Or you could try using the various $arg_* variables in a map --<br><a href="http://nginx.org/r/map" target="_blank">http://nginx.org/r/map</a>.<br><br>> And a valid submission will be <a href="https://x.y.com/?abc=1.2.3.4&pqr=asdf&xyz=123888598" target="_blank">https://x.y.com/?abc=1.2.3.4&pqr=asdf&xyz=123888598</a><br><br>Would <a
href="https://x.y.com/?abc=1.2.3.4&xyz=123888598&pqr=asdf" target="_blank">https://x.y.com/?abc=1.2.3.4&xyz=123888598&pqr=asdf</a> be<br>invalid? Unless you control the client, you probably don't control<br>the order.<br><br>> abc is numeric, with . in between, and ending in digit(s), think of a uuid like 2.16.840.1.113883<br>> <br>> pqr is only alpha, but has 2 choices, asdf or lkjh<br>> <br>> xyz is purely numeric<br><br>Untested, but something like<br><br> map $arg_xyz $xyz_bad {<br> default 1<br> ~ ^[0-9]+$ 0<br> }<br><br>with similar things for "abc" and "pqr", would set variables that you<br>could then test for.<br><br> if ($xyz_bad) {<br> return 400 "xyz is wrong"<br> }<br><br>> location / {<br>> ....<br>> ....<br>> if ($args ~ ^((abc=(\d+\.)+(\d+))\&(pqr=(asdf|lkjh))\&(xyz=\d+))$){<br>> proxy_pass <a
href="http://127.0.0.1:890/?$1;" target="_blank" >http://127.0.0.1:890/?$1;</a><br>> }<br>> <br>> Still I can not limit the repetition, like (abc=(\d{3,10})). Seems nginx, does not support {}. Is that true ? <br><br>I don't know; but it possibly depends on the regex library found at<br>compile time.<br><br>> And what about "if is evil"<br><br>Don't use "if" inside "location" unless you can explain why your usage<br>is correct. That's the rule I tend to use.<br><br>Good luck with it,<br><br> f<br>-- <br>Francis Daly <a ymailto="mailto:francis@daoine.org" href="mailto:francis@daoine.org">francis@daoine.org</a><br><br>_______________________________________________<br>nginx mailing list<br><a ymailto="mailto:nginx@nginx.org" href="mailto:nginx@nginx.org">nginx@nginx.org</a><br><a href="http://mailman.nginx.org/mailman/listinfo/nginx"
target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br><br><br> </div> </div> </div></body></html>