From b2840984857f1a6f9aadfccfe0906ec29aeaa81f Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Thu, 21 Jul 2016 14:45:41 +0300
Subject: [PATCH] roles/nginx: Add mitigation for HTTPoxy vulnerability

Malicious requests including the HTTP_PROXY value will be able to
manipulate some server-side libraries. Better to just block them
in nginx.

See: https://httpoxy.org/
See: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
---
 roles/nginx/templates/vhost.conf.j2 | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/roles/nginx/templates/vhost.conf.j2 b/roles/nginx/templates/vhost.conf.j2
index 34d946e..239fcc2 100644
--- a/roles/nginx/templates/vhost.conf.j2
+++ b/roles/nginx/templates/vhost.conf.j2
@@ -56,6 +56,11 @@ server {
         #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
 
+        # Protect against "HTTPoxy" vulnerability in PHP libraries
+        # See: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
+        # See: https://httpoxy.org/
+        fastcgi_param HTTP_PROXY "";
+
         {% if ansible_distribution_version == '16.04' %}
         fastcgi_pass unix:/run/php/php7.0-fpm-{{ domain_name }}.sock;
         {% else %}