nginx open reverse proxy?
Somehow, and I'm not sure how, we have configured an nginx reverse proxy that is acting as an open proxy.
The log files tells us the matching requests are going against the following conf
file:
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
access_log /var/log/nginx/access.p.log;
error_log /var/log/nginx/error.p.log;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_buffers 8 32k;
proxy_buffer_size 64k;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
server {
listen 80;
server_name ~first.*\.second\.com;
location / {
resolver 172.16.1.1 172.16.1.2;
proxy_pass http://$host;
proxy_read_timeout 7200s;
}
}
server {
listen 443;
server_name ~first.*\.second\.com;
ssl on;
location / {
resolver 172.16.1.1 172.16.1.2;
proxy_pass https://$host;
proxy_read_timeout 7200s;
}
}
The top-level conf
file looks like this:
user nginx; worker_processes 8; pid /var/run/nginx.pid;
events { worker_connections 4096; # multi_accept on; }
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##
#include /etc/nginx/naxsi_core.rules;
##
# nginx-passenger config
##
# Uncomment it if you installed nginx-passenger
##
#passenger_root /usr;
#passenger_ruby /usr/bin/ruby;
##
include /etc/nginx/conf.d/*.conf;
#include /etc/nginx/sites-enabled/*;
}
what here is causing this?
There is document on how nginx processes request. In particular that means if you have only one server block then all requests will end up there regardless off Host
header.
In your case you want to process only requests that match your hosts and ignore others. So you have to declare another server block that will process all unmatched requests.
This should look something like this:
server {
listen 80 default_server;
listen 443 default_server;
return 403;
# or return 444; to just close connection without response.
}
server {
listen 80;
server_name ~first.*\.second\.com;
....
}
server {
listen 443 ssl;
server_name ~first.*\.second\.com;
....
}