roles/nginx: Add mitigation for HTTPoxy vulnerability

Malicious requests including the HTTP_PROXY value will be able to manipulate some server-side libraries. Better to just block them in nginx. See: https://httpoxy.org/ See: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
2016-07-21 14:45:41 +03:00 · 2016-07-21 14:45:41 +03:00 · b284098485
commit b284098485
parent a38d822fad
1 changed files with 5 additions and 0 deletions
--- a/roles/nginx/templates/vhost.conf.j2
+++ b/roles/nginx/templates/vhost.conf.j2
@ -56,6 +56,11 @@ server {
        #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
        fastcgi_split_path_info ^(.+\.php)(/.+)$;

+        # Protect against "HTTPoxy" vulnerability in PHP libraries
+        # See: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
+        # See: https://httpoxy.org/
+        fastcgi_param HTTP_PROXY "";
+
        {% if ansible_distribution_version == '16.04' %}
        fastcgi_pass unix:/run/php/php7.0-fpm-{{ domain_name }}.sock;
        {% else %}