Using correct variable for proxy_pass

Maxim Dounin mdounin at
Mon Nov 19 13:12:10 UTC 2018


On Mon, Nov 19, 2018 at 09:47:32AM +0000, Rob Fulton wrote:

> Hi,
> I'm trying to work out the best way to setup the proxy_pass url and 
> which variables to use. Initially we were using proxy_pass to proxy to a 
> single https URL, we used a rewrite to change https://hostname/ to 
> https://hostname/index.html.
> We've recently discovered issues due to the single DNS query nginx 
> performs so moved to using a variable for the hostname, this required us 
> to set proxy_pass to the full requests url. We started with :
> proxy_pass ${content_server}content$request_uri
> This worked as expected but our rewrite rules failed to work, looking at 
> the documentation, this is seems to be expected since this is the 
> request pre-processing by nginx.
> We then moved to :
> proxy_pass ${content_server}content$uri
> This works fine with the rewrite rules but I noticed a comment on 
> StackOverflow stating this opens you up to header injection 
> vulnerabilities. Is there a variable / combination of variables that 
> allow you to preserve rewrites without the potential security issues, or 
> a better way of doing this ensuring we can use variables in the 
> proxy_pass hostname?

If you want to use variables in the proxy_pass and at the same 
time want to preserve effect of nginx internal URI changes such as 
due to rewrites, consider using an empty URI compontent in the 
proxy_pass.  For example:

   set $backend "";
   proxy_pass $backend;

Maxim Dounin

More information about the nginx mailing list