-
Notifications
You must be signed in to change notification settings - Fork 211
Nginx
GrrrDog edited this page Dec 18, 2018
·
25 revisions
- https://www.nginx.com/
- Tested version: 1.15.3
- case-sensitive for verb (400 error)
- doesn't treat // as a directory (/images/1.jpg/..//../1.jpg -> /1.jpg)
- doesn't allow in the path:
%00 0x00 % - doesn't allow
%2fas the first slash - doesn't normalize /..
Server: nginx- 400 error
<html>
<head><title>400 Bad Request</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx/1.15.3</center>
</body>
</html>
- 403
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>
</html>
- supports Absolute-URI with higher priority under host header
- any scheme in Absolute-URI
- doesn't like @ in Absolute-URI
- (none): If no modifiers are present, the location is interpreted as a prefix match. This means that the location given will be matched against the beginning of the request URI to determine a match.
- =: If an equal sign is used, this block will be considered a match if the request URI exactly matches the location given.
- ~: If a tilde modifier is present, this location will be interpreted as a case-sensitive regular expression match.
- ~*: If a tilde and asterisk modifier is used, the location block will be interpreted as a case-insensitive regular expression match.
- ^~: If a carat and tilde modifier is present, and if this block is selected as the best non-regular expression match, regular expression matching will not take place.
- backend (URL to origin) is uncontrollable
- parses, url-decodes, normalizes, finds location
- cut off
#fragment - doesn't normalize
/.. - // -> /
- cut off
- if trailing slash is in proxy_pass(
proxy_pass http://backend/), it sends the processed request- from all url-encoded symbols in path, it doesn't url encode
!"$&'()*+,-./:;<=>@[\]^_`{|}~-
%2fto/, which useful for %2f.. -
<> ' "- useful for xss
-
- encoded
%23 %25 %3F, %01-20, >%7F
- from all url-encoded symbols in path, it doesn't url encode
- if no trailing slash is in proxy_pass (
proxy_pass http://backend), it sends initial request-
/!"$&'()*+,-./:;<=>@[\]^_`{|}~?a#z->/!"$&'()*+,-./:;<=>@[\]^_`{|}~?a#z -
%2f->%2f
-
-
proxy_pass http://$host/(with ending/) doesn't proxy path-partproxy_pass http://192.168.78.111:9999 -> http://192.168.78.111:9999/path_from_location/
- forwards raw bytes (0x01-0x20, > 0x80) in path as-is
- set HTTP/1.0 by default
-
$host- from the request'sHostheader ;$http_host- host from config (default) - allows >1
Hostheader- forwards only the first one
- doesn't forward headers with space symbols in name (
AnyHeader:orAnyHeader :) - no additional headers to backend
- similar to proxy_pass with trailing slash
-
%0acuts the path-
/rewrite_slash/123%0a456?a=b->/rewrite_slash/123?a=b
-
location /rewrite_slash/ {
rewrite /rewrite_slash/(.*) /$1 break;
proxy_pass http://backend:9999/;
}
- Nginx only caches GET and HEAD requests
- It respects the Cache-Control and Expires headers from origin server
- It does not cache responses with Cache-Control set to Private, No-Cache, or No-Store or with Set-Cookie in the response header.
- Does not honor the Pragma and the client's Cache-Control
- key for cache: host header and path+query
-
#- is ordinary symbol here
-
- X-Cache-Status: MISS - custom header which shows caching
- If caching is enabled, the header fields “If-Modified-Since”, “If-Unmodified-Since”, “If-None-Match”, “If-Match”, “Range”, and “If-Range” from the original request are not passed to the origin server.
- doesn't care If-Match for uncached content
- cares If-Match for cached content:
- W/"0815" - returns 412 Precondition Failed
- If-Match: * returns body
- doesn't care Range headers
- one level traversal
/host_noslash_path../somthing/->
location /host_noslash_path {
proxy_pass http://192.168.78.111:9999/lala/;
}
- no first / (absolute uri?)
/without/slash/here->GET without/slash/here HTTP/1.1
rewrite /(.*) $1 break;