S
S
Sergey Pugovkin2022-03-16 17:21:03
Nginx
Sergey Pugovkin, 2022-03-16 17:21:03

How to configure nginx to reject all invalid HTTP requests?

Quote from https://habr.com/ru/company/cloud4y/blog/547164/ :

With Nginx proxy_pass it is possible to catch errors and HTTP headers generated by the backend (backend). This is very useful if you want to hide internal error messages and headers so they can be handled by Nginx. Nginx will automatically provide a custom error page if the backend responds to it. What happens when Nginx doesn't understand it's an HTTP response?

If a client sends an invalid HTTP request to Nginx, that request will be redirected to the back end as is and it will respond with its raw content. Then Nginx will not recognize the invalid HTTP response and will simply send it back to the client. Imagine a uWSGI application like this:

def application(environ, start_response):
   start_response('500 Error', [('Content-Type',
'text/html'),('Secret-Header','secret-info')])
   return [b"Secret info, should not be visible!"]


And with the following directives in Nginx:

http {
   error_page 500 /html/error.html;
   proxy_intercept_errors on;
   proxy_hide_header Secret-Header;
}


proxy_intercept_errors will serve a custom response if the backend has a response code greater than 300. In our uWSGI application above, we will send a 500 error which will be intercepted by Nginx.

proxy_hide_header is almost self-explanatory; it will hide any specified HTTP header from the client.

If we send a regular GET request, Nginx will return:

HTTP/1.1 500 Internal Server Error
Server: nginx/1.10.3
Content-Type: text/html
Content-Length: 34
Connection: close


But if we send an invalid HTTP request like:

GET /? XTTP/1.1
Host: 127.0.0.1
Connection: close


We will get the following response:

XTTP/1.1 500 Error
Content-Type: text/html
Secret-Header: secret-info

Secret info, should not be visible!


----------------------------------------

And how to prohibit it? How to configure nginx to reject all invalid HTTP requests?

Answer the question

In order to leave comments, you need to log in

1 answer(s)
K
ky0, 2022-03-16
@ky0

Why are you throwing out secret headers? No need.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question