Fix security vulnerabilities in suggested nginx configuration

The suggested configurations for nginx found in the documentation and
templates lead to vulnerabilities allowing host spoofing [1] and path
traversal [2], as reported by Gixy [3]. This commit fixes those issues.

[1] https://github.com/yandex/gixy/blob/master/docs/en/plugins/hostspoofing.md
[2] https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md
[3] https://github.com/yandex/gixy
This commit is contained in:
Alex Balgavy 2021-03-03 12:21:06 +01:00
parent c748fc66cf
commit 6b59800dc6
3 changed files with 12 additions and 12 deletions

View file

@ -173,7 +173,7 @@ Use it along with ``nginx`` with the following example configuration.
location /searx {
proxy_pass http://127.0.0.1:4004/;
proxy_set_header Host $http_host;
proxy_set_header Host $host;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

View file

@ -182,7 +182,7 @@ Started wiki`_ is always a good resource *to keep in the pocket*.
location /searx {
proxy_pass http://127.0.0.1:4004/;
proxy_set_header Host $http_host;
proxy_set_header Host $host;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@ -190,8 +190,8 @@ Started wiki`_ is always a good resource *to keep in the pocket*.
proxy_set_header X-Script-Name /searx;
}
location /searx/static {
alias /usr/local/searx/searx-src/searx/static;
location /searx/static/ {
alias /usr/local/searx/searx-src/searx/static/;
}
@ -205,7 +205,7 @@ Started wiki`_ is always a good resource *to keep in the pocket*.
location /morty {
proxy_pass http://127.0.0.1:3000/;
proxy_set_header Host $http_host;
proxy_set_header Host $host;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@ -309,8 +309,8 @@ Started wiki`_ is always a good resource *to keep in the pocket*.
proxy_buffering off;
}
location /searx/static {
alias /usr/local/searx/searx-src/searx/static;
location /searx/static/ {
alias /usr/local/searx/searx-src/searx/static/;
}
The ``X-Script-Name /searx`` is needed by the searx implementation to
@ -328,8 +328,8 @@ Started wiki`_ is always a good resource *to keep in the pocket*.
uwsgi_pass unix:/run/uwsgi/app/searx/socket;
}
location /searx/static {
alias /usr/local/searx/searx-src/searx;
location /searx/static/ {
alias /usr/local/searx/searx-src/searx/;
}
For searx to work correctly the ``base_url`` must be set in the

View file

@ -3,7 +3,7 @@
location ${SEARX_URL_PATH} {
proxy_pass http://127.0.0.1:4004/;
proxy_set_header Host \$http_host;
proxy_set_header Host \$host;
proxy_set_header Connection \$http_connection;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
@ -11,6 +11,6 @@ location ${SEARX_URL_PATH} {
proxy_set_header X-Script-Name ${SEARX_URL_PATH};
}
location ${SEARX_URL_PATH}/static {
alias ${SEARX_SRC}/searx/static;
location ${SEARX_URL_PATH}/static/ {
alias ${SEARX_SRC}/searx/static/;
}