Regular Expression global redirect

António P. P. Almeida appa at perusio.net
Tue Feb 28 12:10:19 UTC 2012


On 28 Fev 2012 04h47 CET, nginxyz at mail.ru wrote:

>
> 27 февраля 2012, 14:13 от António P. P. Almeida <appa at perusio.net>:
>> On 27 Fev 2012 07h33 CET, nginxyz at mail.ru wrote:
>>> 27 февраля 2012, 04:41 от António P. P. Almeida <appa at
>>> perusio.net>:
>>>> server {
>>>> listen 80;
>>>> server_name ~^www\.(?P<domain>.*)$;
>>>> return 301 $scheme://$domain$request_uri;
>>>> }
>>>>
>>>> server {
>>>> listen 80;
>>>> server_name ~^(?P<domain_name>[^\.]*)\.(?P<tld>[^\.]*)$;
>>>> location / {
>>>> proxy_pass http://$domain_name.$tld;
>>>> }
>>>> }
>>>>
>>>> This should work [1]. 
>>>
>>> Your solution, while syntactically correct, is wrong by design.
>>> What you created there is an open anonymizing proxy that will pass
>>> any request from anyone to any host:port combination that contains
>>> only the domain name and the TLD, if a functional resolver has
>>> been set up using the resolver directive. Take a guess what this
>>> would do:
>>
>> This deals with illegal Host headers:
>>
>> server {
>> listen 80 default_server;
>> server_name _;
>> server_name_in_redirect off;
>> return 444;
>> }
>
> If by deals you mean gives a card to every player who wants one,
> then you are correct. :-P But it does nothing to close that open
> anonymizing proxy you created with the previous server block,
> anyone can still use your frontend server as an open anonymizing
> proxy to access any domain.tld:port they want, including fbi.gov:22.
>
> Besides, server_name_in_redirect is off by default. Moreover,
> it's completely useless in that server block because you're just
> dropping the connection anyway. This would have been just
> as useful:

That was set to off by default in 0.8.48. 

> proxy_set_header Warning "CPU cycle wasting in progress...";
>
> As for illegal Host headers, nginx takes care of those on its
> own and returns error code 400 without such blocks. The
> purpose of such blocks is to catch everything else that is not
> matched by defined server names. In your case, the other two
> server blocks already match any requests that have the Host
> header set to start with www or contain a domain.tld type
> of hostname, so your latest server block just catches everything
> else (requests with missing Host headers, IP addresses,
> nonwwwhostname.domain.tld hostnames etc.).

Illegal in the sense of being relative to undefined/unauthorized
hosts. That's what I meant. I use a similar vhost in all my setups.

> To put it simply - your configuration is wrong and should not
> be used, unless you want to "deal with" the FBI in the near
> future.

1. The OP didn't request anything like you said.

2. If he requested such, that could have been dealt with using a
   simple map with hostnames and an if at the server level.

2. IIRC he hasn't said how his exact setup works. He could have in
   place network policies that disable the usage of the servers as
   open proxies.

3. You're just trolling. Like you trolled other people before
   me. People that have been working on Nginx for quite some time, and
   that have real accomplishements, besides trolling and posing as
   "experts".

4. I won't engage you ever again. My mistake.

HAND,
--- appa



More information about the nginx mailing list