Disable http_dav_module in Nginx Web server (version nginx/1.24.0)
Thomas Ward
teward at thomas-ward.net
Wed Nov 29 00:42:59 UTC 2023
Kaushal,
The answer from Sergey is actaully accurate. You'd have to modify the
build scripts to exclude the webdav module and then recompile the NGINX
packaging for your environment. This is not *hard* but requires more
knowledge than just NGINX to provide a solution that fits your
organization. The pkg-oss repo that Sergey provided a link to provides
the baseline components necessary to build the open source packages that
can be used by your system.
You would have to create your own RHEL packages based off the pkg-oss
repository and then build those packages and install them on your
corresponding infrastructure. That will, however, disable the ability
for you to get updates via the RHEL repositories.
Where did you client get the 'recommendation' from? Generally speaking,
most security teams aren't going to be wanting to manually build
software independently because that can cause issues with security
updates. Aditionally, unless WebDAV is enabled in your environment
(read: *enabled*, not whether installed or not), it shouldn't be doing
anything. You can also just disable webdav by giving zero access with a
single line which then blocks all WebDAV routes.
Also, additionally, refer to this:
http://nginx.org/en/docs/http/ngx_http_dav_module.html
Specifically, the webdav system / module does NOT intercept methods and
do WebDAV stuff unless the configuration is set to.
The defaults for the webdav module specify this for the dav methods
(which in turn tells the module when to actually do something or not
with the HTTP method received and in turn processing that as WebDAV):
dav_methods off;
When dav_methods is off, which is the default unless you manually set it
otherwise, all methods are denied to the WebDAV module, per the
documentation of that directive: "Allows the specified HTTP and WebDAV
methods. The parameter |off| denies all methods processed by this module."
You may want to inform your clients' security team the following:
"In order to disable this module, we would have to manually compile the
software for your environment, which means that you will no longer
receive security updates, etc. from the RHEL team or repositories.
Additionally, documentation on this module states that the default setup
for this module is to be **disabled** regardless of whether this is
compiled into the binaries or not. If you really want this module
disabled, we will have to manually compile NGINX for all your machines,
and it will then be up to you to apply patches from NGINX for security
vulnerabilities and issues yourselves."
This achieves the following:
(1) Indicates to your clients that you've researched this issue,
(2) Indicated to your clients that, as you've done your research, you've
identified that in order to change the compiled-in modules you would be
required to manually do this per machine and break security patches from
RHEL, and
(3) During your research, it was uncovered that the presence of this
module does not by default enable WebDAV functionality, thereby
eliminating the security risk unless one of your administrators
configures the WebDAV module for a given site.
It also lets their team determine whether they really want to take on
the "manually recompile from source every patch" burden, and also that
their security concerns are mitigated because the webdav methods are
disabled by default.
Thomas
---
Thomas Ward
IT Security Professional
NGINX Package Maintainer, Debian
NGINX Package Watcher/Maintainer/Helper, Ubuntu
On 11/28/23 11:49, Kaushal Shriyan wrote:
> Hi
>
> On Tue, Nov 28, 2023 at 3:17 AM Sergey A. Osokin <osa at freebsd.org.ru>
> wrote:
>
> Hi Kaushal,
>
> hope you're doing well.
>
> Would you mind to provide your fillings and concerns, if any, on the
> ngx_http_dav module.
>
> It's definitely possible to use the build scripts, available in the
> pkg-oss repo, [1], update configure options and rebuild the package
> for your needs.
>
> References
> ----------
> 1. https://hg.nginx.org/pkg-oss/
>
> Thank you.
>
> --
> Sergey A. Osokin
>
> On Tue, Nov 28, 2023 at 12:39:47AM +0530, Kaushal Shriyan wrote:
> > Hi,
> >
> > I am running nginx version: nginx/1.24.0 on Red Hat Enterprise Linux
> > release 8.8 (Ootpa). Is there a way to disable http_dav_module
> in Nginx Web
> > server?
> >
> > # nginx -v
> > nginx version: nginx/1.24.0
> > # cat /etc/redhat-release
> > Red Hat Enterprise Linux release 8.8 (Ootpa).
> > #
> > # nginx -V 2>&1 | grep http_dav_module
> > configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx
> > --modules-path=/usr/lib64/nginx/modules
> --conf-path=/etc/nginx/nginx.conf
> > --error-log-path=/var/log/nginx/error.log
> > --http-log-path=/var/log/nginx/access.log
> --pid-path=/var/run/nginx.pid
> > --lock-path=/var/run/nginx.lock
> > --http-client-body-temp-path=/var/cache/nginx/client_temp
> > --http-proxy-temp-path=/var/cache/nginx/proxy_temp
> > --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
> > --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
> > --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx
> --group=nginx
> > --with-compat --with-file-aio --with-threads
> --with-http_addition_module
> > --with-http_auth_request_module --with-http_dav_module
> > --with-http_flv_module --with-http_gunzip_module
> > --with-http_gzip_static_module --with-http_mp4_module
> > --with-http_random_index_module --with-http_realip_module
> > --with-http_secure_link_module --with-http_slice_module
> > --with-http_ssl_module --with-http_stub_status_module
> > --with-http_sub_module --with-http_v2_module --with-mail
> > --with-mail_ssl_module --with-stream --with-stream_realip_module
> > --with-stream_ssl_module --with-stream_ssl_preread_module
> > --with-cc-opt='-O2 -g -pipe -Wall -Werror=format-security
> > -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions
> > -fstack-protector-strong -grecord-gcc-switches
> > -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
> > -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
> > -fasynchronous-unwind-tables -fstack-clash-protection
> -fcf-protection
> > -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'
> >
> > Please guide me. Thanks in Advance.
> >
> > Best Regards,
> >
> > Kaushal
>
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > https://mailman.nginx.org/mailman/listinfo/nginx
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
>
>
> Hi Sergey,
>
> I am working with an enterprise customer in financial domain. Their
> security team have suggested is the below recommendation.
>
> ############################################################################################################
> 2.1.2 Ensure HTTP WebDAV module is not installed (Automated)
> Profile Applicability:
> • Level 2 - Webserver
> • Level 2 - Proxy
> • Level 2 – Loadbalancer
> Description:
> The http_dav_module enables HTTP Extensions for Web Distributed
> Authoring and Versioning
> (WebDAV) as defined by RFC 4918. This enables file-based operations on
> your web server, such
> as the ability to create, delete, change and move files on your
> server. Most modern
> architectures have replaced this functionality with cloud-based object
> storage, in which case
> the module should not be installed.
> Rationale:
> WebDAV functionality opens up an unnecessary path for exploiting your
> web server. Through
> misconfigurations of WebDAV operations, an attacker may be able to
> access and manipulate
> files on the server.
> Audit:
> Run the following command to ensure the http_dav_module is not installed:
> nginx -V 2>&1 | grep http_dav_module
>
> Ensure the output of the command is empty.
> Remediation:
> To remove the http_dav_module, recompile nginx from source without the --
> withhttp_dav_module flag.
> Default Value:
> The HTTP WebDAV module is not installed by default when installing
> from source. It does come
> by default when installed using dnf.
> ############################################################################################################
> Please guide me further. Thanks in advance.
>
> Best Regards,
>
> Kaushal
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20231128/621c58d1/attachment-0001.htm>
More information about the nginx
mailing list