Encoded slashes in URL with proxy = trouble?

Igor Sysoev igor at sysoev.ru
Fri Sep 9 15:06:57 UTC 2011

On Fri, Sep 09, 2011 at 10:47:10AM -0400, François Beausoleil wrote:
> Hi!  
> Nginx is in front of the RabbitMQ management extension. Some of the URLs the extension generates contain en embedded slash character (%2F):
>  http://somehost/#/queues/%2F/events
> The encoded slash represents the vhost I want to get information about. I found an older ServerFault question with no answer[1], and was wondering if any of you had a way to let Nginx pass through the encoded slash?
> Thanks!
> François
> [1] http://serverfault.com/questions/289188/nginx-passenger-encoded-slash

First, I'm not sure that browser sends to a server anything after
hash character "#", since hash mean fragment on page.

As to enconded slash, nginx normalizes URI, it decodes all characters
so "/queues/%2F/events" becames "/queues///events" and then it merges
all slashes, "/./", and "/../" to test URI against locations.
Otherwise, anyone can request something like "/%2E%2E%2E../../etc/passwd"
to get files out of server control. Or to get source text of the script
files instead of executing then.

If you want to pass unchanged request to backend, you can use just
backend name without slash in proxy_pass:

location /queues/ {
    proxy_pass   http://backend;


-   proxy_pass   http://backend/;
+   proxy_pass   http://backend;

Igor Sysoev

More information about the nginx mailing list