Strange rewrite_by_lua outcome

Nginx User nginx at
Mon Oct 17 16:33:20 UTC 2011

On 17 October 2011 08:03, Tim Mensch <tim-nginx at> wrote:
> On 10/16/2011 10:50 PM, Nginx User wrote:
>> BTW this works fine even though it has "\":
>> local query_string =,
>> "((php|sql)-?my-?admin/|my-?(php|sql)-?admin|(php|sql)-?manager)|(_vpi|xAou6|db_name|clientrequest|option_value|sys_cpanel|db_connect|doeditconfig|check_proxy|system_user|spaw2|prx2|thisdoesnotexist|proxyjudge1|ImpEvData|proxydeny|base64|crossdomain|localhost|wwwroot|mosconfig|scanner|proc/self/environ)|\.(outcontrol|rdf|XMLHTTP|cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar|inc|dll)|(/admin/sqlpatch\.php/password_forgotten\.php\?action=execute)|etc/passwd|/manager/html","io")
> You're just doing "\." in that line. If Nginx strips that "\", then it ends
> up in Lua as ".", which changes the meaning but will happen to work in most
> cases (though it would match sqlpatch_php and other similar strings, and not
> just sqlpatch.php, since the "." will be the wildcard).
> Tim

Let me get this right. Do I need to always escape the "\" inserted to
escape "." in "\." in lua and then add another couple of "\"s? I.E.,
do I need to do "sqlpatch\\\\.php" to get "sqlpatch\.php" passed to
the regex finally? IOW, do I basically replace each "\" with "\\\\"?

If I understand agentzh, the rewrite module handles this behind the
scenes and allows us to use familiar syntax. Is that right?


More information about the nginx mailing list