开发者

Are there any security risks attached to letting users add to their own nginx virtual host files?

Let's say that I'm giving some people hosting accounts via nginx. If I were to put a line in their virtual host configuration files that includes an extra config file residing in their home directories, could this lead to any sort of security breach?

Here is a user's virtual 开发者_StackOverflowhost file:

server {
    listen 80;
    server_name user.example.com;
    access_log /var/log/nginx/user.access.log;
    location / {
        root /home/user/htdocs;
        index index.html index.htm index.php;
    }
    location ~ \.php$ {
        fastcgi_pass unix:/var/run/php-fastcgi/php-fastcgi.socket;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME  /home/user/htdocs$fastcgi_script_name;
        include /etc/nginx/fastcgi_params;
    }

    # The important bit
    include /home/user/extra_config;

}

Theoretically, this would be combined with a cron job that checks the timestamp of each extra_config, and reloads nginx if necessary. Ideally users would utilize this to deny access to private files/directories or create rewrites - basically, it would be an alternative to .htaccess. But are there any pitfalls to this approach? Is there a better way to accomplish it?


It's best to only allow whitelisted config directives. You don't want a malicious user ("Eve") to highjack another user's traffic. e.g., I believe a user could construct a config like the following:

} 
server {
   listen 80;
   server_name alice.example.com;
   root /home/eve/htdocs;
}
server {
   listen 80;
   server_name bob.example.com;
   root /home/eve/htdocs;
}
server {
   listen 80;
   server_name passwd.example.com;
   root /etc/passwd;

Instead, in an ideal world you would take input via some sort of purpose-built UI, and build the appropriate nginx config yourself from that user input. For example, I allow users to specify IP bans in a similar way -- I have a UI that accepts only a list of IPs. I then verify the format of the IPs via a regex, and write out nginx deny directives.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜