Nginx在转发斜杠之前可能会删除URL路径中的点(“.”)。

huangapple go评论91阅读模式
英文:

Nginx possibly removing dot (".") from URL path before forwardslash

问题

我已经定义了一个反向代理,像这样:

    server {
        listen       443 ssl;
        server_name  testing.com;
        ssl_certificate      "C:/nginx/testing.crt";
        ssl_certificate_key  "C:/nginx/testing.key";
        location / {
            proxy_pass  "http://127.0.0.1:8888/";
        }
    }

反向代理按预期工作。现在我们解决了这个问题:

我有一个情况,我需要在URL中传递参数,有些参数有时以点(.)结尾,像这样"https://testing.com/param1./param2/param3/param4."。
但是由于某种原因,服务器接收到的URL看起来像这样"127.0.0.1:8888/param1/param2/param3/param4"。

如果我直接调用服务器,像这样"127.0.0.1:8888/param1./param2/param3/param4.",参数是正确的。我猜测是nginx修改了URL。也许问题出在其他地方...

我使用的是Windows 10。服务器是一个使用内置库的Go(golang)服务器。我已经设置了自签名证书并编辑了我的hosts文件(从来没有遇到过问题)。

另外,我的朋友也在这个项目上工作,他没有任何问题,尽管我们的nginx配置完全相同,唯一的区别是他使用的是Linux系统。

英文:

I have defined a reverse proxy like this:

    server {
        listen       443 ssl;
        server_name  testing.com;
        ssl_certificate      "C:/nginx/testing.crt";
        ssl_certificate_key  "C:/nginx/testing.key";
        location / {
            proxy_pass  "http://127.0.0.1:8888/";
        }
    }

The reverse proxy works as intended. Now that we got that out of the way:

I have a case where i need to pass parameters in the URL and some of the parameters sometimes end with a dot (.) like this "https://testing.com/param1./param2/param3/param4."
But for some reason the URL that is received at the server looks like this "127.0.0.1:8888/param1/param2/param3/param4"

If i call the server directly like this "127.0.0.1:8888/param1./param2/param3/param4.", the parameters are correct. My guess is that nginx modifies the URL. Maybe the issues lies somewhere else...

I am on Windows 10. The server is a Go (golang) server that uses only built in libraries. I have setup self signed certificates and edited my hosts file (never had issues with those).

ALSO - my friend who is also working on this project has no issues even tho we have identical nginx setups, but the only difference is that he is on Linux.

答案1

得分: 1

您遇到的是在nginx 1.3.1和0.8.6版本中实现的功能:

nginx 1.3.1的更改                                         2012年6月5日

    *) 安全性:现在nginx/Windows会忽略URI路径组件中的尾部点,并且不允许带有":$"的URI。
       感谢Vladimir Kochetkov,Positive Research Center。

nginx 0.8.6的更改                                         2009年7月20日

    *) Bug修复:现在nginx/Windows会忽略URI中的尾部点。
       感谢Hugo Leisink。

(http://nginx.org/en/CHANGES-1.24)

实际上,nginx在Windows上也会忽略路径中的尾部空格:

nginx 0.8.33的更改                                        2010年2月1日

    *) 安全性:现在nginx/Windows会忽略URI中的尾部空格。
       感谢Dan Crowley,Core Security Technologies。

    *) 安全性:现在nginx/Windows会忽略短文件名。
       感谢Dan Crowley,Core Security Technologies。

与周期相关的更改是在提交f83598a35981197ac113b9c898bdb972aa8366da(在1.3.1中)和2376d6082ab407a68619bfeb753c825e30617e2d(在0.8.6中)中引入的。

我在调试nginx 1.20.1时发现了类似的问题,其中在Windows上反向代理的请求会删除请求路径末尾的所有点。查看URL解析源代码时,写下这个回答时,看起来这个功能是不可配置的。

可以通过在proxy_pass中使用$request_uri来稍微解决这个问题,例如:

proxy_pass http://127.0.0.1:8888$request_uri;

这将将未经处理的URI路径发送到上游。当然,由于这是原始路径,所以不受位置规则的影响,因此您可能会得到与所需路径不同的路径。此外,如果您使用路径来访问/提供文件,请注意此点/空格规范化试图保护您免受的安全问题。

英文:

You have run into the features implemented in nginx versions 1.3.1 and 0.8.6 for Windows:

Changes with nginx 1.3.1                                         05 Jun 2012

    *) Security: now nginx/Windows ignores trailing dot in URI path
       component, and does not allow URIs with ":$" in it.
       Thanks to Vladimir Kochetkov, Positive Research Center.

Changes with nginx 0.8.6                                         20 Jul 2009

    *) Bugfix: now nginx/Windows ignores trailing dots in URI.
       Thanks to Hugo Leisink.

(http://nginx.org/en/CHANGES-1.24)

In fact, nginx also ignores trailing spaces in paths too, only on Windows:

Changes with nginx 0.8.33                                        01 Feb 2010

    *) Security: now nginx/Windows ignores trailing spaces in URI.
       Thanks to Dan Crowley, Core Security Technologies.

    *) Security: now nginx/Windows ignores short files names.
       Thanks to Dan Crowley, Core Security Technologies.

The period related changes were introduced in commits f83598a35981197ac113b9c898bdb972aa8366da (in 1.3.1) and 2376d6082ab407a68619bfeb753c825e30617e2d (in 0.8.6).

I found this out while debugging a similar issue with nginx 1.20.1, where on Windows the reverse proxied requests would drop all periods from the end of the request path. Looking at the URL parsing source code at the time of writing this response, it doesn't look like this feature is configurable.

It's possible to slightly work around this by using $request_uri with the proxy_pass like so:

proxy_pass http://127.0.0.1:8888$request_uri;

This sends the unprocessed URI path to the upstream. Of course this isn't affected by location rules since it's the original path, so you may end up with a different path than you need. Additionally, if you are using the path to access/serve files, take note of the security issues that this period/space normalisation is trying to protect you from.

huangapple
  • 本文由 发表于 2022年12月20日 06:40:29
  • 转载请务必保留本文链接:https://go.coder-hub.com/74856758.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定