[PATCH] better constrain IP-literal validation in ngx_http_validate_host()
Maxim Dounin
mdounin at mdounin.ru
Mon Dec 24 12:58:59 UTC 2018
Hello!
On Fri, Dec 21, 2018 at 11:59:27AM -0800, Terence Honles wrote:
> The reason I came across this code was I have NGINX handling HTTPS, and
> proxying to Django via uWSGI. Django has the following RegEx [1]_. Which is is
> compliant with the IPv6 literal notation, but causes Django to report an
> error.
Well, as far as I see the regex in question will also report an
error for perfectly valid IPvFuture literals.
> While I agree, there may not be an issue of security; Any down stream systems
> may be confused and unable to handle a malformed hostname.
If you want to prevent such names from hitting your backend
servers, a better solution might be to configure nginx to only
accept explicitly configured host names (including IP literals).
This is more or less trivial to configure and something you
probably should do anyway unless you are still supporting
pre-Host-header clients. E.g.:
server {
listen 80 default;
return 404;
}
server {
listen 80;
server_name example.com;
...
}
> Another alternative would be to rewrite the hostname to not
> include the "[" and "]" if it is not a valid IPv6 literal,
Well, this _will_ be a security issue, since it can easily result
in different processing of names in nginx and backends.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx-devel
mailing list