Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nginx lense parsing issue related to empty string value #657

Open
erthmeld opened this issue Jan 16, 2020 · 4 comments
Open

Nginx lense parsing issue related to empty string value #657

erthmeld opened this issue Jan 16, 2020 · 4 comments

Comments

@erthmeld
Copy link

erthmeld commented Jan 16, 2020
edited
Loading

I'm running into a parsing issue with the Nginx documented solution for dropping traffic that contains an empty Host header.

Nginx Request processing documentation

If requests without the “Host” header field should not be allowed, a server that just drops the requests can be defined:

        server {
            listen      80;
            server_name "";
            return      444;
        }

Here, the server name is set to an empty string that will match requests without the “Host” header field, and a special nginx’s non-standard code 444 is returned that closes the connection.

I've identified the point of failure parsing the conf file based on manually running augtool with the get parameter.

/augeas/files/etc/nginx/nginx.conf
/augeas/files/etc/nginx/nginx.conf/path = "/files/etc/nginx/nginx.conf"
/augeas/files/etc/nginx/nginx.conf/mtime = "1579129215"
/augeas/files/etc/nginx/nginx.conf/lens = "Nginx.lns"
/augeas/files/etc/nginx/nginx.conf/lens/info = "/usr/share/augeas/lenses/dist/nginx.aug:121.10-.52:"
/augeas/files/etc/nginx/nginx.conf/error = "parse_failed"
/augeas/files/etc/nginx/nginx.conf/error/pos = "2164"
/augeas/files/etc/nginx/nginx.conf/error/line = "67"
/augeas/files/etc/nginx/nginx.conf/error/char = "14"
/augeas/files/etc/nginx/nginx.conf/error/lens = "/usr/share/augeas/lenses/dist/nginx.aug:121.10-.52:"
/augeas/files/etc/nginx/nginx.conf/error/message = "Syntax error"

Line in question:
server_name "";

I recall seeing other issues related to quote characters as I was trying to resolve this initially, and initially believed it may be similar to this issue.
@raphink
Copy link
Member

raphink commented Jan 21, 2020

There seems to be two issues here actually:

  • the word server gets special parsing in this context, so server_name fails to parse
  • a value of "" cannot be parsed at the moment

I've looked into it and it doesn't seem simple to fix with the code as it is now.

@erthmeld
Copy link
Author

Thanks for the response, I'd be amazed if server_name parameter fails to parse wholesale. It's literally the primary identifier for an nginx virtual server, and the underlying means of routing same port traffic to different http endpoints. If that parameter was unable to be parsed/configured via augeas with the nginx lens it would be almost useless in any production configuration.

That said, given that the empty quotes can't be parsed the above is moot in terms of my specific issue. Sounds like a good old fashioned sed -i is in my near future on this one. Cheers.

@raphink
Copy link
Member

raphink commented Jan 24, 2020

If you want this implemented in Augeas, you can also send me an email and we'll see what we can do.

@erthmeld
Copy link
Author

erthmeld commented Feb 3, 2020
edited
Loading

Thanks, I'll shoot you an email as well. It's a minor issue from an nginx security standpoint but under the wrong circumstances not performing the empty host header rejection can cause an internal IP exposure risk. I believe we have a workaround that doesn't require the empty servername block but it's unnecessarily complicated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@raphink @erthmeld