Are there any security risks attached to letting users add to their own nginx virtual host files?
Let's say that I'm giving some people hosting accounts via nginx. If I were to put a line in their virtual host configuration files that includes an extra config file residing in their home directories, could this lead to any sort of security breach?
Here is a user's virtual 开发者_StackOverflowhost file:
server {
listen 80;
server_name user.example.com;
access_log /var/log/nginx/user.access.log;
location / {
root /home/user/htdocs;
index index.html index.htm index.php;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php-fastcgi/php-fastcgi.socket;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /home/user/htdocs$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
}
# The important bit
include /home/user/extra_config;
}
Theoretically, this would be combined with a cron job that checks the timestamp of each extra_config, and reloads nginx if necessary. Ideally users would utilize this to deny access to private files/directories or create rewrites - basically, it would be an alternative to .htaccess. But are there any pitfalls to this approach? Is there a better way to accomplish it?
It's best to only allow whitelisted config directives. You don't want a malicious user ("Eve") to highjack another user's traffic. e.g., I believe a user could construct a config like the following:
}
server {
listen 80;
server_name alice.example.com;
root /home/eve/htdocs;
}
server {
listen 80;
server_name bob.example.com;
root /home/eve/htdocs;
}
server {
listen 80;
server_name passwd.example.com;
root /etc/passwd;
Instead, in an ideal world you would take input via some sort of purpose-built UI, and build the appropriate nginx config yourself from that user input. For example, I allow users to specify IP bans in a similar way -- I have a UI that accepts only a list of IPs. I then verify the format of the IPs via a regex, and write out nginx deny directives.
精彩评论