Hi Ilya, On Fri, Jun 26, 2020 at 02:04:41PM +0500, ???? ??????? wrote: > ??, 26 ???. 2020 ?. ? 11:00, Willy Tarreau <[email protected]>: > > > Hi Tim, > > > > On Thu, Jun 25, 2020 at 04:30:37PM +0200, Tim Düsterhus wrote: > > (...) > > > Willy: Please correct me if I misrepresented your arguments or left out > > > something important. > > > > I think it's well summarized. There are other more painful points not > > mentioned here: > > > > Tim, can we schedule this for 2.3 ? It seems to be "too much" for 2.2
Rest assured that for me it's not even imaginable to break 2.2 with such sort of things. We have sufficient issues to address right now! > as for normalization, I'd like an idea to compare nginx normalization rules. > (I recall myself that only "merge_slashes off;" was rarely an issue, the > rest of normalization rules seem to be just fine) Be careful that nginx is a web server, not a gateway, so it doesn't have to care about how the next hop would interpret the request since there isn't such "next hop" so it only has to be consistent with itself. And by the way, in case you'd still use it as a reverse-proxy using proxy_pass you have to be aware that it only normalizes during analysis but forwards the unprocessed request, leading to some of the well-known things I mentioned: https://www.acunetix.com/blog/articles/a-fresh-look-on-reverse-proxy-related-attacks/ This article by the way also mentions the funny things with some application servers which incorrectly use ";" as a query string delimiter, which is yet another thing breaking normalization! Willy
