Regular Expression global redirect

Max nginxyz at mail.ru
Tue Feb 28 03:47:14 UTC 2012


27 февраля 2012, 14:13 от António P. P. Almeida <appa at perusio.net>:
> On 27 Fev 2012 07h33 CET, nginxyz at mail.ru wrote:
> > 27 февраля 2012, 04:41 от António P. P. Almeida <appa at perusio.net>:
> > > server {
> > > listen 80;
> > > server_name ~^www\.(?P<domain>.*)$;
> > > return 301 $scheme://$domain$request_uri;
> > > }
> > >
> > > server {
> > > listen 80;
> > > server_name ~^(?P<domain_name>[^\.]*)\.(?P<tld>[^\.]*)$;
> > > location / {
> > > proxy_pass http://$domain_name.$tld;
> > > }
> > > }
> > >
> > > This should work [1]. 
> >
> > Your solution, while syntactically correct, is wrong by design.
> > What you created there is an open anonymizing proxy that will pass
> > any request from anyone to any host:port combination that contains
> > only the domain name and the TLD, if a functional resolver has been
> > set up using the resolver directive. Take a guess what this would
> > do:
>
> This deals with illegal Host headers:
> 
> server {
> listen 80 default_server;
> server_name _;
> server_name_in_redirect off;
> return 444;
> }

If by deals you mean gives a card to every player who wants one,
then you are correct. :-P But it does nothing to close that open
anonymizing proxy you created with the previous server block,
anyone can still use your frontend server as an open anonymizing
proxy to access any domain.tld:port they want, including fbi.gov:22.

Besides, server_name_in_redirect is off by default. Moreover,
it's completely useless in that server block because you're just
dropping the connection anyway. This would have been just
as useful:

proxy_set_header Warning "CPU cycle wasting in progress...";

As for illegal Host headers, nginx takes care of those on its
own and returns error code 400 without such blocks. The
purpose of such blocks is to catch everything else that is not
matched by defined server names. In your case, the other two
server blocks already match any requests that have the Host
header set to start with www or contain a domain.tld type
of hostname, so your latest server block just catches everything
else (requests with missing Host headers, IP addresses,
nonwwwhostname.domain.tld hostnames etc.).

To put it simply - your configuration is wrong and should not
be used, unless you want to "deal with" the FBI in the near
future.

Max


More information about the nginx mailing list