Using correct variable for proxy_pass
Maxim Dounin
mdounin at mdounin.ru
Mon Nov 19 13:12:10 UTC 2018
Hello!
On Mon, Nov 19, 2018 at 09:47:32AM +0000, Rob Fulton wrote:
> Hi,
>
> I'm trying to work out the best way to setup the proxy_pass url and
> which variables to use. Initially we were using proxy_pass to proxy to a
> single https URL, we used a rewrite to change https://hostname/ to
> https://hostname/index.html.
>
> We've recently discovered issues due to the single DNS query nginx
> performs so moved to using a variable for the hostname, this required us
> to set proxy_pass to the full requests url. We started with :
>
> proxy_pass ${content_server}content$request_uri
>
> This worked as expected but our rewrite rules failed to work, looking at
> the documentation, this is seems to be expected since this is the
> request pre-processing by nginx.
>
> We then moved to :
>
> proxy_pass ${content_server}content$uri
>
> This works fine with the rewrite rules but I noticed a comment on
> StackOverflow stating this opens you up to header injection
> vulnerabilities. Is there a variable / combination of variables that
> allow you to preserve rewrites without the potential security issues, or
> a better way of doing this ensuring we can use variables in the
> proxy_pass hostname?
If you want to use variables in the proxy_pass and at the same
time want to preserve effect of nginx internal URI changes such as
due to rewrites, consider using an empty URI compontent in the
proxy_pass. For example:
set $backend "http://example.com";
proxy_pass $backend;
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list