alanorth
/
ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity

roles/nginx: Add mitigation for HTTPoxy vulnerability 

Malicious requests including the HTTP_PROXY value will be able to
manipulate some server-side libraries. Better to just block them
in nginx.

See: https://httpoxy.org/
See: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
This commit is contained in:
Alan Orth 2016-07-21 14:45:41 +03:00
parent a38d822fad
commit b284098485
Signed by: alanorth
GPG Key ID: 0FB860CC9C45B1B9
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
roles/nginx/templates/vhost.conf.j2
View File

@ -56,6 +56,11 @@ server {
#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# Protect against "HTTPoxy" vulnerability in PHP libraries
# See: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
# See: https://httpoxy.org/
fastcgi_param HTTP_PROXY "";
{% if ansible_distribution_version == '16.04' %}
fastcgi_pass unix:/run/php/php7.0-fpm-{{ domain_name }}.sock;
{% else %}