Should nginx' default shipped fastcgi_param file updated to mitigate httpoxy?

Maxim Dounin mdounin at
Tue Jul 19 14:16:55 UTC 2016


On Tue, Jul 19, 2016 at 03:48:16PM +0200, Thomas Deutschmann wrote:

> Hash: SHA512
> Hi,
> I am proxy maintaining the nginx package on Gentoo.
> Regarding the recent "httpoxy" problem (you already published a blog
> posting [1] with instructions how to mitigate the problem) we are
> unsure if we should update our package to ship your mitigation per
> default, i.e. altering your "fastcgi_param" file and add
> > fastcgi_param  HTTP_PROXY         "";
> This would protect default configurations. However some setups might
> require a proxy which could break when fastcgi_param file will be
> sourced after user's configuration.
> - From my point of view this is a user education problem: If they know
> what they are doing they won't have to do anything: They should be
> fine already or at least will set their required values *after*
> sourcing the default fastcgi_param file.
> For Gentoo we would use our elog and/or news system to tell the user
> about the changes.
> However we want to know if you, upstream, are going to change the
> default shipped fastcgi_param file (don't forget the .conf file) with
> the next upcoming release to include a "safer" default configuration
> as well or if there are reasons not to ship such a default and maybe
> you recommend us also to do nothing.

I don't think that the default should be changed.

The problem is about improperly using the HTTP_PROXY environment 
variable in CGI[-like] contexts.  And this is what should be 
fixed.  Much like any other uses of HTTP_* environment variables.

While filtering particular headers can be effectively used as a 
mitigation before all the affected uses are fixed, it doesn't 
looks like a good long-term solution.

Maxim Dounin

More information about the nginx-devel mailing list