search

dev-sec / nginx-baseline

DevSec Nginx Baseline - InSpec Profile
https://dev-sec.io/baselines/nginx/
Apache License 2.0
104 stars 45 forks source link

Prevent httpoxy attack #35

Open kravietz opened 5 years ago

kravietz commented 5 years ago

If proxy module is used, make sure this is set to thwart the httpoxy attack:

proxy_set_header Proxy "";

More detailed discussion at Nginx website: Mitigating the HTTPoxy Vulnerability with NGINX

rndmh3ro commented 5 years ago

Hey @kravietz,

I moved this issue to our nginx-baseline repo, as new hardening-tests are first developed here! Then we will integrate them into the actual hardening repositories.

chris-rock commented 5 years ago

I think it is great to add an option here to verify that the proxy header is set to an empty string. How do we deal with the fact that the value is not always empty?

kravietz commented 5 years ago

@chris-rock any set at the proxy value prevents the attack - the vector only works if it can be set arbitrarily from the HTTP request. So a mere check for presence of proxy_set_header Proxy should be sufficient.

chris-rock commented 5 years ago

@kravietz That is great. Thank you for your explanation. Let us add this to the baseline!