roles/nginx: Add mitigation for HTTPoxy vulnerability

Malicious requests including the HTTP_PROXY value will be able to
manipulate some server-side libraries. Better to just block them
in nginx.

See: https://httpoxy.org/
See: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
This commit is contained in:
Alan Orth 2016-07-21 14:45:41 +03:00
parent a38d822fad
commit b284098485
Signed by: alanorth
GPG Key ID: 0FB860CC9C45B1B9

View File

@ -56,6 +56,11 @@ server {
#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_split_path_info ^(.+\.php)(/.+)$;
# Protect against "HTTPoxy" vulnerability in PHP libraries
# See: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
# See: https://httpoxy.org/
fastcgi_param HTTP_PROXY "";
{% if ansible_distribution_version == '16.04' %} {% if ansible_distribution_version == '16.04' %}
fastcgi_pass unix:/run/php/php7.0-fpm-{{ domain_name }}.sock; fastcgi_pass unix:/run/php/php7.0-fpm-{{ domain_name }}.sock;
{% else %} {% else %}