search

openresty / xss-nginx-module

Native support for cross-site scripting (XSS) in an nginx
147 stars 42 forks source link

官方nginx xss模块不起作用 #7

Closed yezigl closed 11 years ago

yezigl commented 11 years ago

相同的配置用openresty,xss模块可以正常使用,官方的添加了xss模块就不行,error.log也没有错误信息。 ngixx.conf配置如下:

    location ^~ /api {
        xss_get on;
        xss_callback_arg "callback";
        proxy_pass http://resin-test-simulator;
        include /opt/conf/nginx/proxy-resin.conf;
    }

nginx编译的参数如下: configure arguments: --prefix=/opt/apps_install/nginx-1.2.6 --conf-path=/opt/conf/nginx/nginx.conf --with-debug --with-pcre=../pcre-8.31 --with-http_stub_status_module --with-http_realip_module --with-http_ssl_module --add-module=../passport-v20120912 --add-module=../mod_saccounts --add-module=../ngx_devel_kit-0.2.17 --add-module=../lua-nginx-module-0.7.5 --add-module=../headers-more-nginx-module-0.19 --add-module=../xss-nginx-module-0.03

请帮忙给看下,感谢

agentzh commented 11 years ago

Hello!

On Thu, Jan 10, 2013 at 3:19 AM, yezigl notifications@github.com wrote:

相同的配置用openresty,xss模块可以正常使用,官方的添加了xss模块就不行,error.log也没有错误信息。

你可以这样配置来得到更多的调试信息:

error_log logs/error.log debug;

Best regards, -agentzh

yezigl commented 11 years ago

我使用了headers more模块把contentType设置为application/json,debug发现好像headers more的执行是在xss之后,xss就匹配不上contentType

[debug] 20423#0: 23 http proxy status 200 "200 OK" [debug] 20423#0: 23 http proxy header: "Server: Resin/3.1.12" [debug] 20423#0: 23 http proxy header: "Date: Thu, 21 Feb 2013 11:04:47 GMT" [debug] 20423#0: 23 http proxy header done [debug] 20423#0: 23 xss skipped due to unmatched Content-Type response header [debug] 20423#0: 23 headers more header filter, uri "/api/services/user/info" [debug] 20423#0: 23 lua capture header filter, uri "/api/services/user/info" [debug] 20423#0: 23 posix_memalign: 00000000054B4CB0:4096 @16 [debug] 20423#0: *23 HTTP/1.1 200 OK Server: nginx/1.2.7 Date: Thu, 21 Feb 2013 11:04:47 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: ppinfo=; domain=.sohu.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT Set-Cookie: passport=; domain=.sohu.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT Set-Cookie: ppinf=; domain=.sohu.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT Set-Cookie: pprdig=; domain=.sohu.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT Set-Cookie: ppmdig=; domain=.sohu.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT

agentzh commented 11 years ago

Hello!

On Thu, Feb 21, 2013 at 3:16 AM, yezigl notifications@github.com wrote:

我使用了headers more模块把contentType设置为application/json,debug发现好像headers more的执行是在xss之后,xss就匹配不上contentType

你可以编译 nginx 时掉换这两个模块的顺序,即这样写:

./configure --add-module=/path/to/xss-nginx-module \
           --add-module=/path/to/headers-more-nginx-module

这样 ngx_headers_more 的输出过滤器就会运行在 ngx_xss 之前了。(注意,这里输出过滤器的运行顺序与 --add-module=PATH 命令行选项的顺序刚好相反。)

Best regards, -agentzh

yezigl commented 11 years ago

可以了,多谢!