OffensiveWeb Get started

Nginx

Nginx

Nginx is a high-performance web server, reverse proxy, and load balancer, known for its efficiency and low resource consumption.

Passing Request Headers

By default, NGINX eliminates the header fields whose values are empty strings and redefines two header fields in proxied requests:

  • Host is set to the $proxy_host variable
  • Connection is set to close

To change these setting, as well as modify other header fields, use the proxy_set_header directive.

Caching

By default, NGINX Plus caches all responses to requests:

  • HTTP methods: GET and HEAD
  • Cache key: Request string

Reponses are cached the first time received from a proxied server. If a request has the same key as a cached response, NGINX Plus sends the cached response to the client. Learn more

http {
   # ...
   proxy_cache_path /data/nginx/cache keys_zone=mycache:10m;
   server {
       proxy_cache mycache;
       location / {
           proxy_pass http://localhost:8000;
       }
   }
}

To change the request characteristics used in calculating the key, include the proxy_cache_key directive:

proxy_cache_key "$host$request_uri$cookie_user";

Cache Poisoning

# [...]

http {
        # [...]
        proxy_cache_path /run/nginx/cache keys_zone=stat_cache:10m inactive=10s;

        server {
            listen 80 default_server;
            listen [::]:80 default_server;

            server_name _;

            location = /stats {
                proxy_cache stat_cache;
                proxy_cache_key "$arg_period";
                proxy_cache_valid 200 15s;

                proxy_pass http://127.0.0.1:3001;
            }
        }
}

The period GET parameter serves as the cache key. By utilizing a commonly known value such as 1m, you can contaminate the cache and introduce an additional malicious value.

  • Example: http://localhost/stats?period=1m&period=<PAYLOAD>

Security

Basic Auth

  • auth_basic_user_file: The path to the .htpasswd file that contain user/password pairs
  • Package apache2-utils or httpd-tools
  • Command htpasswd -c /etc/apache2/.htpasswd user1

Filtering

  • allow / deny: Allow or deny access from particular IP addresses / subnets

Rate limit

Limit of 1 request per minute based on IP address (binary mode for performance). Learn more

http {
    #...
    limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
    server {
        limit_req zone=one;
        # ...
    }
}

For requests that arrive at the full bucket, NGINX will respond with the 503 Service Unavailable error (if not redefined with limit_req_status).

Prev
Javascript
Next
Node.js