Using correct variable for proxy_pass

Rob Fulton rob at
Mon Nov 19 09:47:32 UTC 2018


I'm trying to work out the best way to setup the proxy_pass url and 
which variables to use. Initially we were using proxy_pass to proxy to a 
single https URL, we used a rewrite to change https://hostname/ to 

We've recently discovered issues due to the single DNS query nginx 
performs so moved to using a variable for the hostname, this required us 
to set proxy_pass to the full requests url. We started with :

proxy_pass ${content_server}content$request_uri

This worked as expected but our rewrite rules failed to work, looking at 
the documentation, this is seems to be expected since this is the 
request pre-processing by nginx.

We then moved to :

proxy_pass ${content_server}content$uri

This works fine with the rewrite rules but I noticed a comment on 
StackOverflow stating this opens you up to header injection 
vulnerabilities. Is there a variable / combination of variables that 
allow you to preserve rewrites without the potential security issues, or 
a better way of doing this ensuring we can use variables in the 
proxy_pass hostname?



More information about the nginx mailing list