Nginx configuration Command Location match priority and security issue "go"

Nginx configuration Command Location match precedence and security issues using Nginx for a long time, it has high performance, stability performance is also very good, has been recognized by many people. Especially its configuration, a bit like writing programs, each line of command at the end of a ";" Number, the statement block is enclosed in "{}". preparation, direct NGINX-T inspection of the preparation, the preparation of successful, direct operation: Service Nginx Reload. The server does not have any downtime to achieve a smooth modification of the configuration. Recently has been doing location configuration, encountered priority issues (if misconfigured may be a security risk OH), the following is a personal learning experience.

First, the location of the matching character
1. Equals Match: =
The Equals match is the equals sign, and the feature can be summed up as two points:
Exact match
Regular expressions are not supported
2. Null match character
The characteristics of an empty match are:
Matches the URI starting with the specified pattern
Regular expressions are not supported
3. Regular match: ~
A regular match is a match that can be used with regular expressions. However, the emphasis here is that, generally speaking, it means:
Case-sensitive regular matching
and ~* says:
Case-insensitive regular match
But for some operating systems that are not case sensitive, there is no difference between the two. The other one is ^~, which represents a regular match that starts with the specified pattern.

4. Internal accessors: @

Commonly used for error pages, etc., this is not discussed.

Second, match the priority level
1.=
2. Empty match, when exact match is satisfied
3.^~
4.~ or ~*
5. An empty match when the match starts at the specified pattern
This is more abstract, let's take a look at an example.

2.1 Equals an empty match between match and exact match

Look at the following example (using the Hello World module We completed together):

The code is as follows:

location/poechant {
Hello_world No1;
}

Location =/poechant {
Hello_world NO2;
}

If our request is http://my.domian/poechant, then we find that two location matches the requested URI, according to our priority order, the first is the exact match of the empty match, the second is equal to the match, so the second one is high priority, That is, the output should be:

Hello_world, NO2

It also indicates that Nginx's locatoin is not matched according to the order of writing in the configuration file.

2.2 The ^~ of an empty match with a regular match when the exact match is matched

In the following example, both begin to match exactly, and even this regular match is exact match.

The code is as follows:

Location ^~ ^/poechant$ {
Hello_world No1;
}

location/poechant {
Hello_world NO2;
}

Which one does it match? You test it and you get:

Hello_world, NO2
is consistent with the order of precedence that we have mentioned above.

2.3 Instances of other matching priority comparisons
Slightly

Iii. Summary of actual combat experience

Priority of 1.location matching (from practice summary)
(location =) > (location full path >) > (Location ^~ path) > (location ~* Regular) > (location path)
As long as the match is reached, the others are ignored and then returned to the change match.
Use the following example to test:

The code is as follows:

#1
Location/{
return 500;
}
#2
location/a/{
return 404;
}
#3
Location ~* \.jpg$ {
return 403;
}
#4
Location ^~/a/{
return 402;
}
#5
location/a/1.jpg {
return 401;
}
#6
Location =/a/1.jpg {
return 400;
}

Note: When testing, you must first comment out all, or you will think that # # is exactly the same as # #. Prompt: Repeat configuration, the following code is prompted as follows :

D:\nginx-0.8.7>nginx-s Reload
[Emerg]: Duplicate location '/a/' in d:\nginx-0.8.7/conf/nginx.conf:53

Browse Test: Every time Access: http://localhost:9999/a/1.jpg (in Windows Install test, then port is 9999) file a/1.jpg does not exist at all. The key is to test the page to see the return situation.

A. Results with the above configuration request

The code is as follows:

Request
--------------------------------------------------------------------------------
nginx/0.8.7
As you can see from the test, the highest priority is: = number. It will be the first to match.
B. Next we block out #6 as follows:The code is as follows:#6
# location =/a/1.jpg {
# return 400;
#    }

Then overload configuration:d:\nginx-0.8.7> nginx-s Reload and access: Http://localhost:9999/a/1.jpg, return the following results:
The code is as follows:

401 Authorization Required
--------------------------------------------------------------------------------
nginx/0.8.7

Conclusion: From this test, there is no "=" case, the location behind the direct access to the full path is a priority match. Through the test found, if will: Location/a/1.jpg changed to: location/a/1\.jpg
There will be an unexpected situation, the direct appearance is: Return 402. From this point, it can be inferred that the Nginx match priority is: the site path, and without regular expression precedence.

C. The same test masks the #5 as follows: Comment and reload ibid.
Access: Http://localhost:9999/a/1.jpg returns the following results.

The code is as follows:

402 Payment Required
--------------------------------------------------------------------------------
nginx/0.8.7

Conclusion: The location ^~ priority is higher than the location ~* priority, in which: the ^~ is the main back-up path.

C. The same test masks the #4 as follows: Comment and reload ibid.
Access: Http://localhost:9999/a/1.jpg returns the following results.

The code is as follows:

403 Forbidden
--------------------------------------------------------------------------------
nginx/0.8.7 conclusion: From the above comparisons, the path matching without any matching characters is preferred.

D. The empathy test masks the #3 as follows: Comment and reload ibid. And get rid of the comment "#"
Access: Http://localhost:9999/a/1.jpg returns the following results.

The code is as follows:

404 Not Found
--------------------------------------------------------------------------------
nginx/0.8.7 Conclusion: The comparison has the meaning:/a/and/should be the same type of matching expression, which can be obtained, the matching order is, the path from the right to match, can be inferred as a character, the first match to, is that priority. So get is:/a/priority over/.

The above test, is my test results, priority level with the above rules. In actual writing, we often make mistakes. Remember the previous time: Gen Y security Team exposed Nginx Vulnerability in fact, personally think that can not be nginx loopholes, but, we do not understand the nginx compounding rules, and there is a configuration above the fatal loophole. In fact, with the above priority, we may also make a fatal error at the time of configuration.

The code is as follows:

#以下是随便写例子, individuals may be different.
#假设站点在: In the/home/www/html/directory, all of the PHP and upload files are under this directory.
Location ~* \.php$ {
Proxy_pass http://www.a.com;
}

location/upload/{
alias/home/www/html/upload/;
}

And, this upload directory, is the static directory, our idea is that all the following files are not able to execute, including PHP files.
If there is a user access: Http://www.a.com/upload/1.css, the CSS will be displayed directly, however, if there is a user access: http://www.a.com/upload/1.php similar to the file, as mentioned above, the actual match to: ~* \. It's php$. Upload below is performed.
From this inside, we find a problem that actually does not meet our requirements. The static directory is executed like the file below. This is a bit of a hassle. Once there is something on the hole, someone else saved a PHP, we thought, our configuration is OK. Feel very safe, lack of unknowingly opened a door by others.

So how do we change it?

The code is as follows:

Location ~* \.php$ {
Proxy_pass http://www.a.com;
}
Location ^~/upload/{
alias/home/www/html/upload/;
}

Yes, it is necessary to use: "^~", so that is not already safe. If you revisit the following: http://www.a.com/upload/1.php you will find that this code source is displayed. This is actually not for us to see. A section of the display source code, in each search engine, it is easy to search through all the special keywords, to change the file.
So how do we configure a secure storage directory? Yes, you think about it: Restrict the special file types that are allowed.

The code is as follows:

Location ~* \.php$ {
Proxy_pass http://www.a.com;
}

Location ^~/upload/{
if ($request _filename! ~* \. ( Jpg|jpeg|gif|png|swf|zip|rar|txt) ($) {
return 403;
}
alias/home/www/html/upload/;
}

As long as it is not satisfied with the above extension file, it is automatically prompted: 403 can not access, there is to avoid the source code display.
Just now from the matching results have been known, the same class without any matching character, is the right to match. So, if you use regular expressions, how do you match them?
The test is as follows: (New configuration file, server included)

The code is as follows:

Location ~* \.jpg$ {
return 402;
}

Location ~* 1\.jpg$ {
return 403;
}

The results are as follows:

The code is as follows:

402 Payment Required
--------------------------------------------------------------------------------
nginx/0.8.7

It seems that the return is: 402 above one. According to theory, 1.jpg configuration is more accurate than. jpg, it seems that the order is different from the above, then will it be the one that matches the previous one? Let's Test it again:

The code is as follows:

Location ~* 1\.jpg$ {
return 403;
}

Location ~* \.jpg$ {
return 402;
}

The return result is:

The code is as follows:

403 Forbidden
--------------------------------------------------------------------------------
nginx/0.8.7

Haha, on the contrary, it seems that my inference is correct, if all are regular, can match, to configure the file to appear in order to, who before who priority. A breath said, do not know friend you, understand my train of thought? This kind of comparison will be many and many, we can test each one by one. Familiar with location configuration, for skilled use of nginx is a necessary foundation. Because Nginx is too flexible, too popular. The above question, perhaps friends you, will meet. Hope to be of help to you.

Nginx configuration Command Location match priority and security issue "go"