nginx and Apache killer

Juan Angulo Moreno apostols at gmail.com
Sun Aug 28 02:04:11 UTC 2011


Hi,

I use nginx 1.0 in my server (with fastcgi + php5 support), it runs
several website using wordpress. Today my harddisk is full (this run
in VPS service). error.log file occupied 6.8 Gb and mysql server is
frozen. How I can prevent that if someone applies the Apache killer
script to my nginx stop filling the disk?.

Thanks you!

2011/8/27 Igor Sysoev <igor at sysoev.ru>:
> Following "Apache Killer" discussions and the advisory from 2011-08-24
> (Advisory: Range header DoS vulnerability Apache HTTPD 2.x CVE-2011-3192)
> we'd like to clarify a couple of things in regards to nginx behavior
> either in standalone or "combo" (nginx+apache) modes.
>
> First of all, nginx doesn't favor HEAD requests with compression,
> so the exact mentioned attack doesn't work against a standalone
> nginx installation.
>
> If you're using nginx in combination with proxying to apache backend,
> please check your configuration to see if nginx actually passes range
> requests to the backend:
>
> 1) If you're using proxying WITH caching then range requests are not
> sent to backend and your apache should be safe.
>
> 2) If you're NOT using caching then you might be vulnerable to the attack.
>
> In order to mitigate this attack when your installation includes
> apache behind nginx we recommend you the following:
>
> 1. Refer to the above mentioned security advisory CVE-2011-3192 for apache
> and implement described measures accordingly.
>
> 2. Consider using nginx configuration below (in server{} section of
> configuration). This particular example filters 5 and more ranges
> in the request:
>
>  if ($http_range ~ "(?:\d*\s*-\s*\d*\s*,\s*){5,}") {
>      return 416;
>  }
>
> We'd also like to notify you that for standalone nginx installations
> we've produced the attached patch. This patch prevents handling
> malicious range requests at all, instead outputting just the entire file
> if the total size of all ranges is greater than the expected response.
>
>
> --
> Igor Sysoev
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
>



-- 
Juan A. Moreno
http://apostols.net
Fingerprint GPG: 0FEE E0BF 2904 FE77 1682 2171 C842 DBF1 34BC CD04



More information about the nginx mailing list