<div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13px">On my site, I accept full URL-encoded URLs as part of the path, for example:</span><div style="font-family:arial,sans-serif;font-size:13px"><br></div>
<div style="font-family:arial,sans-serif;font-size:13px"><a href="http://www.mysite.com/search/http%3A%2F%2Fexample.com%2F" target="_blank">http://www.mysite.com/search/http%3A%2F%2Fexample.com%2F</a></div><div style="font-family:arial,sans-serif;font-size:13px">
<br></div><div style="font-family:arial,sans-serif;font-size:13px">I recently moved my site to nginx and I found that it was decoding and collapsing the slashes before passing it on to Passenger. It would pass along the URL like this: <a href="http://www.mysite.com/search/http:/example.com/" target="_blank">http://www.mysite.com/search/http:/example.com/</a></div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">I found the merge_slashes setting, and on setting it to off, Passenger now receives URLs like this: <a href="http://www.mysite.com/search/http://example.com/" target="_blank">http://www.mysite.com/search/http://example.com/</a> . So the slashes are kept, but the path is still decoded. The nginx documentation [1] says "However, for security considerations, it is better to avoid turning the compression off."</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">What are the security considerations here? Why does nginx not allow the encoded slashes to be passed through (like Apache does[2]), and if it did so, would that negate the security concerns?</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">[1] <a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#merge_slashes" target="_blank">http://nginx.org/en/docs/http/ngx_http_core_module.html#merge_slashes</a></div>
<div style="font-family:arial,sans-serif;font-size:13px">[2] <a href="http://httpd.apache.org/docs/2.2/mod/core.html#allowencodedslashes" target="_blank">http://httpd.apache.org/docs/2.2/mod/core.html#allowencodedslashes</a></div>
</div>