Internal IP in HTTP Location Header Response?

mevans336 nginx-forum at forum.nginx.org
Mon Nov 14 15:38:08 UTC 2016


Hello - we have been dinged on our network penetration test because one of
our Nginx web servers is returning the internal IP in the HTTP location
response header. This is our only Nginx server that is not acting as a
reverse proxy, so I'm at a bit of a loss on how to disable Nginx returning
the Internal IP?

Here is the bulk of our config:

server {

        listen                          192.168.1.2:80;
        server_name                     mydomain.com www.mydomain.com

        location / {

                    	return          301 https://$server_name$request_uri;
        }

}

server {

        listen                          192.168.1.2:443 ssl http2;
        server_name                     mydomain.com www.mydomain.com
        ssl                             on;
        ssl_certificate                 /etc/nginx/ssl/mycert.crt;
        ssl_certificate_key             /etc/nginx/ssl/mykey.key
        ssl_protocols                   TLSv1.2 TLSv1.1 TLSv1;
        ssl_ciphers                    
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-A[...]
        ssl_prefer_server_ciphers       on;
        ssl_dhparam                     /etc/nginx/ssl/dhparam.pem;
        ssl_stapling             	on;
        resolver                        8.8.8.8 8.8.4.4 ipv6=off;

        location / {

                add_header              X-Frame-Options SAMEORIGIN;
                add_header              Strict-Transport-Security
max-age=31536[...]

                root                    /usr/share/nginx/html/;
                index                   index.html;
    }

}


[+] Location Header: https://192.168.1.2/images/
[+] Result for my.external.ip.address found Internal IP: 192.168.1.2

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,270932,270932#msg-270932



More information about the nginx mailing list