пт, 26 июн. 2020 г. в 14:19, Willy Tarreau <w...@1wt.eu>: > Hi Ilya, > > On Fri, Jun 26, 2020 at 02:04:41PM +0500, ???? ??????? wrote: > > ??, 26 ???. 2020 ?. ? 11:00, Willy Tarreau <w...@1wt.eu>: > > > > > Hi Tim, > > > > > > On Thu, Jun 25, 2020 at 04:30:37PM +0200, Tim Düsterhus wrote: > > > (...) > > > > Willy: Please correct me if I misrepresented your arguments or left > out > > > > something important. > > > > > > I think it's well summarized. There are other more painful points not > > > mentioned here: > > > > > > > Tim, can we schedule this for 2.3 ? It seems to be "too much" for 2.2 > > Rest assured that for me it's not even imaginable to break 2.2 with > such sort of things. We have sufficient issues to address right now! > > > as for normalization, I'd like an idea to compare nginx normalization > rules. > > (I recall myself that only "merge_slashes off;" was rarely an issue, the > > rest of normalization rules seem to be just fine) > > Be careful that nginx is a web server, not a gateway, so it doesn't have >
I have first hand experience on using nginx as a reverse proxy at 10+ years at 1 billion queries a day :) > to care about how the next hop would interpret the request since there > isn't such "next hop" so it only has to be consistent with itself. And > by the way, in case you'd still use it as a reverse-proxy using proxy_pass > you have to be aware that it only normalizes during analysis but forwards > the unprocessed request, leading to some of the well-known things I > mentioned: > > > https://www.acunetix.com/blog/articles/a-fresh-look-on-reverse-proxy-related-attacks/ > > This article by the way also mentions the funny things with some > application servers which incorrectly use ";" as a query string > delimiter, which is yet another thing breaking normalization! > > Willy >
