Recently we have seen some kind of hacker attempt on our hosting servers, passing very long hostnames in the HTTP Host: header. That means length(hostname) was higher than 2000, for few requests even more than 10000.
This was processed well by nginx, passed further to our upstreams, what caused only little trouble there: logs were filled with a lot of garbage. After bit of investigation, I have found that according to RFC, the longest domain name should not be more than 253 characters. Also, splitting domain into labels (labels are strings between dots), each label should not exceed 63 characters. For more info: http://en.wikipedia.org/wiki/Domain_Name_System (search for "Domain name syntax" part) That raises question how nginx handles this kind of long hostnames, and why it still pasess those invalid hostnames to backends (upstreams). However it still passes it, and we want to filter that out. Because the performance matters us much, we want to do that the best possible way. CASE #1: if ($host ~* "^.{254,}$") { return 403; } CASE #2: (this is probably more efficient) server { server_name "~^.{254,}$"; listen 80; return 403; } Case #2 is probably more efficient, but in both cases are regular expressions used. Would it matter if we put that server {} block at the end of our server list? Also would it make any sense to check for a dot (\.) in a server_name or $host, and when not dot is present, return 403 as well? Thanks for sharing your thoughts Ondrej -- Ondrej JOMBIK Platon Technologies s.r.o., Hlavna 3, Sala SK-92701 +421 903 PLATON - [email protected] - http://platon.org My current location: Phoenix, Arizona My current timezone: -0700 UTC (MST) (updated automatically) _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
