Hello everyone. I need to pass a security audit, For a PCI compliance process.
A scan was performed on my servers and found a vulnerability in nginx "HTTP2 SETTINGS FRAME Denial of Service" I upgraded nginx to the latest stable 1.16.1 which supposedly fixes that issue. see : https://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html But the security scan is still reporting the same problem. The scan report ends with - "technical details : sent HTTP2 request with 20 SETTINGS and received a valid response" I do have http2 enabled, and need it to stay enabled. Can someone please point me in the right direction about how to fix this. I have a few questions. Can I disable that "20 SETTINGS" request somehow? Will that mess up my http2 connections? Is there some other solution? Should I try to update to mainline? Here is the output of my nginx -V nginx version: nginx/1.16.1 built by clang 6.0.0 (tags/RELEASE_600/final 326565) (based on LLVM 6.0.0) built with OpenSSL 1.0.2o-freebsd 27 Mar 2018 TLS SNI support enabled configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module --with-http_v2_module thanks! - Jose
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
