Should nginx' default shipped fastcgi_param file updated to mitigate httpoxy?
Thomas Deutschmann
whissi at whissi.de
Tue Jul 19 13:48:16 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
I am proxy maintaining the nginx package on Gentoo.
Regarding the recent "httpoxy" problem (you already published a blog
posting [1] with instructions how to mitigate the problem) we are
unsure if we should update our package to ship your mitigation per
default, i.e. altering your "fastcgi_param" file and add
> fastcgi_param HTTP_PROXY "";
This would protect default configurations. However some setups might
require a proxy which could break when fastcgi_param file will be
sourced after user's configuration.
- From my point of view this is a user education problem: If they know
what they are doing they won't have to do anything: They should be
fine already or at least will set their required values *after*
sourcing the default fastcgi_param file.
For Gentoo we would use our elog and/or news system to tell the user
about the changes.
However we want to know if you, upstream, are going to change the
default shipped fastcgi_param file (don't forget the .conf file) with
the next upcoming release to include a "safer" default configuration
as well or if there are reasons not to ship such a default and maybe
you recommend us also to do nothing.
Thanks.
[1]
https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-ngi
nx/
- --
Regards,
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1
iQJ8BAEBCgBmBQJXji+LXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzM0M1ODQ4MkM0MDIyOTJEMkUzQzVDMDY5
NzA5RjkwQzNDOTZGRkM4AAoJEJcJ+Qw8lv/IIFMQAIl3gyTbLRVnX22RPrQcV/Be
NI5WSp+hd+D2DMSxunf5Rljedt2Yw7ODCtq3GCF3bC0xDMuMwsyHzxlUtvhUYqz1
PYz8n/b/76ba/rN0mMu3HWiCBbvnJ+gFd0QMNL8vP4ucabqYyPteTYN7ksSROh6C
hDej3VFDYYQsTHLhG8E8q4l9FcxEuOFnOK4H1B1aR9ti+juwysALbXa8rHx5JgYU
mgYbJvajB59gf6ks5VhN3HKHxZLdpvL8fPHwQw+pQIEpKRG5Qe11bOzRmsqQ7zvo
UagfvkIUHtBMnj5HH9mHGHY/Y1CVVWLwD81mC1kDpvJzlaKBhWPGm4a1g4Lnm+B4
sm5xQXF2s21mdp+PTB2qn6AujC5Lh4WPcHM0ZhJ4HTo15L0Z/4sbt/dh6s99I6Va
1G1YXDzZSUB9N777YYjIslNKXGFHM1oBx2UsChVo40PnvmQidZKJ1z9n0cOaiUVd
IRM1DAL6FCNCrPpPhgRKVs+VfJoNwCndD47zLhhy2xGvJUbUr9i3u6pF9THf3Nhp
LCaIQunB1r01QY0aUJT3WK6NfFcdyXy8SCtrTT8PWa/cNLCZ0yCe4DYLczgnby9F
dyTHXg8BjP/o+kQHl4e+Z7tEuAmmRgQ/BUehWyJppp/VuCVfILBfthquO++ItGCP
Z4yj87/isys7QInSO7I1
=H+YL
-----END PGP SIGNATURE-----
More information about the nginx-devel
mailing list