5e297f39ee
This fixes a security hole when used with many Java application servers,
which treat ';' as a special character in paths. See [1] for more
details.
This changes how NGINX constructs requests for its backends. Something
like:
location /fake1/ {
proxy_pass http://127.0.0.1:8000/fake2/;
}
will now escape semicolons in the provided URL, provided that the
original URL had any %-escapes.
To prevent such bypasses, configurations can use:
if ($request_uri !~ "^/[^;?#]*(?:\?|$)") {
return 400 "Path parameters not allowed";
}
This is ultimately a flaw in NGINX, not the backend servers: it is a
client error to make an HTTP request with a URI that contains a path
with a character that is not valid in paths, and as the client NGINX is
responsible for only making valid requests.
This is not a complete fix. A complete fix would require blocking %2F
in paths (HAProxy and NGINX disagree on its meaning) and blocking
unescaped semicolons in paths (NGINX and Java app servers disagree on
their meaning).
This patch allows closing the remaining bypasses by doing the following
in configuration files:
1. Do not use regular expressions in paths unless careful.
2. Ensure all location blocks are either "location = /something" (note
the = operator) or location /something/ (trailing slash).
3. Include the following at server level:
if ($request_uri !~ "^(?<non_normalized_path>/[^;?#]*)(?:\?|$)") {
return 400 "Path parameters not allowed";
}
if ($non_normalized_path ~ "%2[EeFf]|//|/\.\.?(?:\?|/|$)") {
return 400 "Path has escaped . or /, repeated /, or . or .. component";
}
This checks that path components are not empty and are not "." or "..".
It also checks that there are no path parameters and no escaped "." or
"/" characters. Paths that meet these requirements will be interpreted
consistently by all web servers I am aware of.
One can consider this snippet to be licensed under the MIT-0 license (no
attribution required, use for any purpose allowed with no restrictions).
Without this patch to NGINX, normalized URLs submitted to backends would
have unescaped semicolons even if the URL submitted to NGINX escaped the
semicolon. Preventing the bypass would therefore require blocking
*escaped* semicolons, which should not be required.
[1]: https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf
|
||
|---|---|---|
| .github | ||
| auto | ||
| conf | ||
| contrib | ||
| docs | ||
| misc | ||
| src | ||
| .gitignore | ||
| CODE_OF_CONDUCT.md | ||
| CONTRIBUTING.md | ||
| LICENSE | ||
| README.md | ||
| SECURITY.md | ||
| SUPPORT.md | ||
NGINX (pronounced "engine x" or "en-jin-eks") is the world's most popular Web Server, high performance Load Balancer, Reverse Proxy, API Gateway and Content Cache.
NGINX is free and open source software, distributed under the terms of a simplified 2-clause BSD-like license.
Enterprise distributions, commercial support and training are available from F5, Inc.
Important
The goal of this README is to provide a basic, structured introduction to NGINX for novice users. Please refer to the full NGINX documentation for detailed information on installing, building, configuring, debugging, and more. These documentation pages also contain a more detailed Beginners Guide, How-Tos, Development guide, and a complete module and directive reference.
Table of contents
- How it works
- Downloading and installing
- Getting started with NGINX
- Building from source
- Asking questions and reporting issues
- Contributing code
- Additional help and resources
- Changelog
- License
How it works
NGINX is installed software with binary packages available for all major operating systems and Linux distributions. See Tested OS and Platforms for a full list of compatible systems.
Important
While nearly all popular Linux-based operating systems are distributed with a community version of nginx, we highly advise installation and usage of official packages or sources from this repository. Doing so ensures that you're using the most recent release or source code, including the latest feature-set, fixes and security patches.
Modules
NGINX is comprised of individual modules, each extending core functionality by providing additional, configurable features. See "Modules reference" at the bottom of nginx documentation for a complete list of official modules.
NGINX modules can be built and distributed as static or dynamic modules. Static modules are defined at build-time, compiled, and distributed in the resulting binaries. See Dynamic Modules for more information on how they work, as well as, how to obtain, install, and configure them.
Tip
You can issue the following command to see which static modules your NGINX binaries were built with:
nginx -V
See Configuring the build for information on how to include specific Static modules into your nginx build.
Configurations
NGINX is highly flexible and configurable. Provisioning the software is achieved via text-based config file(s) accepting parameters called "Directives". See Configuration File's Structure for a comprehensive description of how NGINX configuration files work.
Note
The set of directives available to your distribution of NGINX is dependent on which modules have been made available to it.
Runtime
Rather than running in a single, monolithic process, NGINX is architected to scale beyond Operating System process limitations by operating as a collection of processes. They include:
- A "master" process that maintains worker processes, as well as, reads and evaluates configuration files.
- One or more "worker" processes that process data (eg. HTTP requests).
The number of worker processes is defined in the configuration file and may be fixed for a given configuration or automatically adjusted to the number of available CPU cores. In most cases, the latter option optimally balances load across available system resources, as NGINX is designed to efficiently distribute work across all worker processes.
Tip
Processes synchronize data through shared memory. For this reason, many NGINX directives require the allocation of shared memory zones. As an example, when configuring rate limiting, connecting clients may need to be tracked in a common memory zone so all worker processes can know how many times a particular client has accessed the server in a span of time.
Downloading and installing
Follow these steps to download and install precompiled NGINX binaries. You may also choose to build NGINX locally from source code.
Stable and Mainline binaries
NGINX binaries are built and distributed in two versions: stable and mainline. Stable binaries are built from stable branches and only contain critical fixes backported from the mainline version. Mainline binaries are built from the master branch and contain the latest features and bugfixes. You'll need to decide which is appropriate for your purposes.
Linux binary installation process
The NGINX binary installation process takes advantage of package managers native to specific Linux distributions. For this reason, first-time installations involve adding the official NGINX package repository to your system's package manager. Follow these steps to download, verify, and install NGINX binaries using the package manager appropriate for your Linux distribution.
Upgrades
Future upgrades to the latest version can be managed using the same package manager without the need to manually download and verify binaries.
FreeBSD installation process
For more information on installing NGINX on FreeBSD system, visit https://nginx.org/en/docs/install.html
Windows executables
Windows executables for mainline and stable releases can be found on the main NGINX download page. Note that the current implementation of NGINX for Windows is at the Proof-of-Concept stage and should only be used for development and testing purposes. For additional information, please see nginx for Windows.
Dynamic modules
NGINX version 1.9.11 added support for Dynamic Modules. Unlike Static modules, dynamically built modules can be downloaded, installed, and configured after the core NGINX binaries have been built. Official dynamic module binaries are available from the same package repository as the core NGINX binaries described in previous steps.
Tip
NGINX JavaScript (njs), is a popular NGINX dynamic module that enables the extension of core NGINX functionality using familiar JavaScript syntax.
Important
If desired, dynamic modules can also be built statically into NGINX at compile time.
Getting started with NGINX
For a gentle introduction to NGINX basics, please see our Beginner’s Guide.
Installing SSL certificates and enabling TLS encryption
See Configuring HTTPS servers for a quick guide on how to enable secure traffic to your NGINX installation.
Load Balancing
For a quick start guide on configuring NGINX as a Load Balancer, please see Using nginx as HTTP load balancer.
Rate limiting
See our Rate Limiting with NGINX blog post for an overview of core concepts for provisioning NGINX as an API Gateway.
Content caching
See A Guide to Caching with NGINX and NGINX Plus blog post for an overview of how to use NGINX as a content cache (e.g. edge server of a content delivery network).
Building from source
The following steps can be used to build NGINX from source code available in this repository.
Installing dependencies
Most Linux distributions will require several dependencies to be installed in order to build NGINX. The following instructions are specific to the apt package manager, widely available on most Ubuntu/Debian distributions and their derivatives.
Tip
It is always a good idea to update your package repository lists prior to installing new packages.
sudo apt update
Installing compiler and make utility
Use the following command to install the GNU C compiler and Make utility.
sudo apt install gcc make
Installing dependency libraries
sudo apt install libpcre3-dev zlib1g-dev
Warning
This is the minimal set of dependency libraries needed to build NGINX with rewriting and gzip capabilities. Other dependencies may be required if you choose to build NGINX with additional modules. Monitor the output of the
configurecommand discussed in the following sections for information on which modules may be missing. For example, if you plan to use SSL certificates to encrypt traffic with TLS, you'll need to install the OpenSSL library. To do so, issue the following command.
sudo apt install libssl-dev
Cloning the NGINX GitHub repository
Using your preferred method, clone the NGINX repository into your development directory. See Cloning a GitHub Repository for additional help.
git clone https://github.com/nginx/nginx.git
Configuring the build
Prior to building NGINX, you must run the configure script with appropriate flags. This will generate a Makefile in your NGINX source root directory that can then be used to compile NGINX with options specified during configuration.
From the NGINX source code repository's root directory:
auto/configure
Important
Configuring the build without any flags will compile NGINX with the default set of options. Please refer to https://nginx.org/en/docs/configure.html for a full list of available build configuration options.
Compiling
The configure script will generate a Makefile in the NGINX source root directory upon successful execution. To compile NGINX into a binary, issue the following command from that same directory:
make
Location of binary and installation
After successful compilation, a binary will be generated at <NGINX_SRC_ROOT_DIR>/objs/nginx. To install this binary, issue the following command from the source root directory:
sudo make install
Important
The binary will be installed into the
/usr/local/nginx/directory.
Running and testing the installed binary
To run the installed binary, issue the following command:
sudo /usr/local/nginx/sbin/nginx
You may test NGINX operation using curl.
curl localhost
The output of which should start with:
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
Asking questions and reporting issues
See our Support guidelines for information on how discuss the codebase, ask troubleshooting questions, and report issues.
Contributing code
Please see the Contributing guide for information on how to contribute code.
Additional help and resources
- See the NGINX Community Blog for more tips, tricks and HOW-TOs related to NGINX and related projects.
- Access nginx.org, your go-to source for all documentation, information and software related to the NGINX suite of projects.
Changelog
See our changelog to keep track of updates.
License
Additional documentation available at: https://nginx.org/en/docs