search

ptpb / pb

pb is a formerly-lightweight pastebin and url shortener
Other
553 stars 52 forks source link

pb returning additional headers + inode leaks #205

Closed jowypej closed 6 years ago

jowypej commented 6 years ago

Maybe you can help me with this etag leakage. It seems the pb server is returning its own headers in addition to the ones I've specified (notice there's two Cache-Control headers). What am I doing wrong here? How do I keep the server from returning the etags and unwanted cache-control headers?

http {
    [...]

    add_header X-Content-Type-Options "nosniff" always;

    add_header X-XSS-Protection "1; mode=block" always;

    add_header X-Frame-Options "DENY" always;

    add_header Referrer-Policy "no-refferer" always;

    add_header Cache-Control "private" always;

    add_header Pragma "private" always;

    etag off;

    ## main site
    server {
        [...]
    }

    ## bin subdomain
    server {
        listen 0.0.0.0:80;
        server_name bin.website.com;
        root /var/www/website/;
        index index.html;

        [...]

        location / {
        proxy_pass http://localhost:10002;
        proxy_set_header Host $host;
        proxy_pass_request_headers on;
        }
    }
}

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          website.com
+ Target Hostname:    bin.website.com
+ Target Port:        80
+ Start Time:         2017-10-24 13:41:24 (GMT-4)
---------------------------------------------------------------------------
+ Server: nginx
+ Server leaks inodes via ETags, header found with file /, fields: 0xpaste 0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx8b79c 
+ Uncommon header 'referrer-policy' found, with contents: no-refferer
+ ERROR: Host maximum execution time of 60 seconds reached
+ Scan terminated:  0 error(s) and 2 item(s) reported on remote host
+ End Time:           2017-10-24 13:41:35 (GMT-4) (61 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

curl -sv http://bin.website.com

* Rebuilt URL to: http://bin.website.com/
*   Trying website.com...
* TCP_NODELAY set
* Connected to bin.website.com (website.com) port 80 (#0)
> GET / HTTP/1.1
> Host: bin.website.com
> User-Agent: curl/7.55.1
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx
< Date: Tue, 24 Oct 2017 17:50:39 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 8122
< Connection: keep-alive
< Access-Control-Allow-Origin: *
< ETag: "paste-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx8b79c"
< Cache-Control: public, max-age=43200
< Accept-Ranges: none
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: DENY
< Referrer-Policy: no-refferer
< Pragma: private
< Cache-Control: private
< 
{ [2456 bytes data]
* Failed writing body (1074 != 3486)
* stopped the pause stream!
* Closing connection 0

It displays different etags aswell with 404's:

< ETag: "pb.pb-c40de9ff0eb1a8adb68dcd7266d2e5c8f3610e8c"
buhman commented 6 years ago

etag leakage

Odd that you'd dislike this, because that etag indeed uniquely identifies that exact response (including 404 responses, because why not). You should be able to use proxy_hide_header for this:

    location / {
        proxy_pass http://localhost:10002;
        proxy_set_header Host $host;
        proxy_pass_request_headers on;
        proxy_hide_header Etag;
        proxy_hide_header Cache-Control;
    }
buhman commented 6 years ago

The idea with that by the way, is you can use something like varnish to add 304 not modified support to a pb deployment, which is useful if you're deploying a static website with multiple/large resources on pb.