Nginx allowed characters inside full URL / URI and ARGS
c0nw0nk
nginx-forum at forum.nginx.org
Fri Jul 14 19:57:46 UTC 2017
So I have been using Lua to iron out a few dilemmas and problems lately.
Does anyone know what characters Nginx accepts inside URL's
I am achieving a higher cache HIT ratio by modifying the URL's with Lua but
it also helps in preventing unwanted forms of DoS.
Here is my code :
local function fix_url(str)
return str:gsub("[+/=]", {["+"] = "+", ["/"] = "/", ["="] = "="})
--Needs some regex to remove multiple occurances of characters
end
ngx.var.modified_url = fix_url(ngx.var.request_uri) --Remove UN-wanted
duplicated characters that users are trying to bypass cache with.
ngx.var.modified_url = string.lower(ngx.var.modified_url) --make all
lowercase to further increase cache HIT ratio
Now what I need to do is to introduce some regex to my gsub string in order
to remove multiple occurrences of those characters.
Example :
Good Link :
/index.php?page=about
Bad Link :
///InDex.PhP????PaGe===AboUt
You will notice that the good link is very friendly where as the Bad Link
will have the same contents served as the good link but is incredibly
dynamic and bypasses the cache each time. (What is how people are launching
their DoS attacks)
Any help on this little project would be fantastic :)
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275500,275500#msg-275500
More information about the nginx
mailing list