-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reasons to use '$http_host' instead of '$host' with 'proxy_set_header Host' in template ? #763
Comments
Spoofing is done via something like My understanding is that NGINX matched the server block not on Configuration from the linked information
If you did you'd match the server_name private.example.com and be asked for a password. if you did you'd match the server_name public.example.com and not be asked for a password. The key point though is that changing the proxy_set_header Host to $host would not change this Using $host has it's own vulnerability; you must handle the situation when the Host field is absent properly by defining default server blocks to catch those requests. I think this is a more common mistake made in configuration that could be exploited. |
reference: nginx-proxy/nginx-proxy#763 Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
Hi,
we had a situation where an app using VAADIN would output a broken pipe error after some timeout that we confirmed would happen only when 'proxy_set_header Host $http_host' is used.
Simply overriding 'proxy_set_header Host' to using '$host' instead of '$http_host' fixed it for us.
I'm trying to understand why it is set to '$http_host' in the template as my understanding is this is security flaw as it could be spoofed?
This is where this information come from : https://forum.nginx.org/read.php?2,257134,257189
Would it be acceptable to change the value of 'proxy_set_header Host $http_host' in the template to 'proxy_set_header Host $host' ?
If you want I can create the PR
The text was updated successfully, but these errors were encountered: