nginx and Apache killer

Maxim Dounin mdounin at mdounin.ru
Sun Aug 28 08:46:26 UTC 2011


Hello!

On Sat, Aug 27, 2011 at 09:34:11PM -0430, Juan Angulo Moreno wrote:

> Hi,
> 
> I use nginx 1.0 in my server (with fastcgi + php5 support), it runs
> several website using wordpress. Today my harddisk is full (this run
> in VPS service). error.log file occupied 6.8 Gb and mysql server is
> frozen. How I can prevent that if someone applies the Apache killer
> script to my nginx stop filling the disk?.

Usual aproach is to rotate logs periodically and/or control 
logging level via error_log directive.  And this isn't specific to 
any particular script, this is just administration basics.

Maxim Dounin

> 
> Thanks you!
> 
> 2011/8/27 Igor Sysoev <igor at sysoev.ru>:
> > Following "Apache Killer" discussions and the advisory from 2011-08-24
> > (Advisory: Range header DoS vulnerability Apache HTTPD 2.x CVE-2011-3192)
> > we'd like to clarify a couple of things in regards to nginx behavior
> > either in standalone or "combo" (nginx+apache) modes.
> >
> > First of all, nginx doesn't favor HEAD requests with compression,
> > so the exact mentioned attack doesn't work against a standalone
> > nginx installation.
> >
> > If you're using nginx in combination with proxying to apache backend,
> > please check your configuration to see if nginx actually passes range
> > requests to the backend:
> >
> > 1) If you're using proxying WITH caching then range requests are not
> > sent to backend and your apache should be safe.
> >
> > 2) If you're NOT using caching then you might be vulnerable to the attack.
> >
> > In order to mitigate this attack when your installation includes
> > apache behind nginx we recommend you the following:
> >
> > 1. Refer to the above mentioned security advisory CVE-2011-3192 for apache
> > and implement described measures accordingly.
> >
> > 2. Consider using nginx configuration below (in server{} section of
> > configuration). This particular example filters 5 and more ranges
> > in the request:
> >
> >  if ($http_range ~ "(?:\d*\s*-\s*\d*\s*,\s*){5,}") {
> >      return 416;
> >  }
> >
> > We'd also like to notify you that for standalone nginx installations
> > we've produced the attached patch. This patch prevents handling
> > malicious range requests at all, instead outputting just the entire file
> > if the total size of all ranges is greater than the expected response.
> >
> >
> > --
> > Igor Sysoev
> >
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
> >
> >
> 
> 
> 
> -- 
> Juan A. Moreno
> http://apostols.net
> Fingerprint GPG: 0FEE E0BF 2904 FE77 1682 2171 C842 DBF1 34BC CD04
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx



More information about the nginx mailing list