Q: about traffic, performance && security

Igor Sysoev is at rambler-co.ru
Fri Apr 28 11:25:02 MSD 2006 

On Thu, 27 Apr 2006, Alexander Lazic wrote:

> 1.) How many sites use the nginx?
> http://survey.netcraft.com/Reports/0604/ say 52092

It's name-based virtual hosts. nginx serves about 10% of .ru name-based
virtual hosts. The physical instances I suppose are about 1000, no more.

> 2.) How many traffic goes thru nginx on real sites, is there any
>   reference site?!

The most sites are Russian or ex-USSR countries sites.

I use nginx at job: www.rambler.ru, the one of the largest Russian search
engines, portals and free e-mail servers. Some our sites handle up
1000-2500 request/seconds and have 10000-30000 keep-alive connections.

There are also at least
1) 3 large free hosting sites,
2) 3 large free foto hosting sites.
3) 2 large blogs sites,
4) 2 large dating sites,
5) 1 large free e-mail site.

> 3.) How secure is nginx, i haven't found anything on
> http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=nginx&x=0&y=0
> ;-)

The more popular software, the more people look sources to find security bugs.

Currently, nginx had two security bugs.

First bug is similar to http://www.securityfocus.com/archive/1/390664
You have not to combine scripts root and static files root,
but if FastCGI scripts are located in /www and you are using configuration:

   location / {
       root /www;
   }

   location ~ \.php$ {
       fastcgi_pass  localhost:9000;
       ...
   }

then you was able to see PHP source code, using "/script.php%00",

Now nginx simply return 404 if URI mapped to static file has '\0' in any place.

Second bug.
If upstream returns "X-Accel-Redirect: /protected/uri", then nginx does
internal redirect. This allows to handle large protected downloads.

   location /protected/ {
       internal;
       root  ...;
   }

The "internal" directive allows access to this location only for internal
redirects and rewrites.

nginx allowed ".." in X-Accel-Redirect, so if someone has cracked backend,
he was able to get files outside the location root.


Igor Sysoev
http://sysoev.ru/en/

More information about the nginx mailing list