Nginx does detect these traversal attacks. They come up as a 400 error. I got two yesterday. But out of paranoia, I wouldn't leave the web root. There is always some zero day.
That traversal attack was from some new to me Hong Kong hosting company and earned a place on my firewall block. Blocking just keeps the log file size down. There will be others. https://null-byte.wonderhowto.com/how-to/perform-directory-traversal-extract-sensitive-information-0185558/ I have run dotdotpwn. Lots of false positives. It takes forever. On nearly a daily basis, some entity gets hacked because of a misconfiguration. So I make sure I have secured the low hanging fruit. I watch file ownership and permissions. That is free. I don't have a WAF but I use Nginx maps and pattern match common hacks, given them the 444. Simple stuff like if you request some WordPress feature you get flagged because I don't run WordPress. I found a list of bad user agents on GitHub that I flag on. Original Message From: hobso...@gmail.com Sent: August 31, 2019 7:41 AM To: nginx@nginx.org Reply-to: nginx@nginx.org Subject: Re: Allow internal redirect to URI x, but deny external request for x? Hi Mark, On 30/08/19 22:23, lists wrote: > I've been following this thread not really out of need but rather that it is > really interesting. That said, I don't think for security you want to > "escape" the web root. The risk is that might aid a traversal attack. > > I am curious to know how this might work. Nginx itself is safe, so it would have to be a script. And while those may indeed be vulnerable, is the vulnerability changed by symlinking the root elsewhere? I don't see any difference myself, but perhaps you know something I don't. Regards Ian > > > > > > Original Message > > > > From: hobso...@gmail.com > Sent: August 30, 2019 12:01 PM > To: nginx@nginx.org > Reply-to: nginx@nginx.org > Subject: Re: Allow internal redirect to URI x, but deny external request for > x? > > > Hi Lewis, > > On 30/08/19 18:33, J. Lewis Muir wrote: >> Hello! >> >> I'm using nginx 1.12.2 on RHEL 7, and I've got a FastCGI web app that >> uses a deployment structure which uses an atomic symlink change for an >> atomic app deploy, and I'm wishing to be able to do an internal redirect >> in nginx to URL x, but deny an external request to the same URL x so >> that I don't serve the same content at more than one URL. Is there a >> way to do that? >> > You could place the different versions away from the root so they cannot > be obtained from the web. Then they can be served by setting up a > symlink to the desired version. > > This can be changed using "ln -sfn version/dir serving/root" and then > restarting nginx to pick up the new version. > > By not using redirects, this method should be more efficient. > > Regards > > Ian > > -- > Ian Hobson > > _______________________________________________ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > _______________________________________________ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -- Ian Hobson Tel (+351) 910 418 473 _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
