14 messages in ru.sysoev.nginxRe: nginx and Apache killer| From | Sent On | Attachments |
|---|---|---|
| Igor Sysoev | Aug 27, 2011 1:10 am |  .ranges |
| Juan Angulo Moreno | Aug 27, 2011 7:03 pm | |
| Maxim Dounin | Aug 28, 2011 1:45 am | |
| Venky Shankar | Aug 28, 2011 2:41 am | |
| Gena Makhomed | Aug 28, 2011 7:18 am | |
| Maxim Dounin | Aug 28, 2011 7:24 am | |
| Maxim Dounin | Aug 28, 2011 9:35 am | |
| Venky Shankar | Aug 28, 2011 9:48 am | |
| Maxim Dounin | Aug 28, 2011 1:21 pm | |
| Gena Makhomed | Aug 28, 2011 1:38 pm | |
| Maxim Dounin | Aug 28, 2011 5:14 pm | |
| Gena Makhomed | Aug 29, 2011 11:30 am | |
| Igor Sysoev | Aug 29, 2011 11:45 am | |
| Jim Ohlstein | Sep 1, 2011 4:59 am |
| Subject: | Re: nginx and Apache killer | |
|---|---|---|
| From: | Maxim Dounin (mdou...@mdounin.ru) | |
| Date: | Aug 28, 2011 1:45:51 am | |
| List: | ru.sysoev.nginx | |
Hello!
On Sat, Aug 27, 2011 at 09:34:11PM -0430, Juan Angulo Moreno wrote:
Hi,
I use nginx 1.0 in my server (with fastcgi + php5 support), it runs several website using wordpress. Today my harddisk is full (this run in VPS service). error.log file occupied 6.8 Gb and mysql server is frozen. How I can prevent that if someone applies the Apache killer script to my nginx stop filling the disk?.
Usual aproach is to rotate logs periodically and/or control logging level via error_log directive. And this isn't specific to any particular script, this is just administration basics.
Maxim Dounin
Thanks you!
2011/8/27 Igor Sysoev <ig...@sysoev.ru>:
Following "Apache Killer" discussions and the advisory from 2011-08-24 (Advisory: Range header DoS vulnerability Apache HTTPD 2.x CVE-2011-3192) we'd like to clarify a couple of things in regards to nginx behavior either in standalone or "combo" (nginx+apache) modes.
First of all, nginx doesn't favor HEAD requests with compression, so the exact mentioned attack doesn't work against a standalone nginx installation.
If you're using nginx in combination with proxying to apache backend, please check your configuration to see if nginx actually passes range requests to the backend:
1) If you're using proxying WITH caching then range requests are not sent to backend and your apache should be safe.
2) If you're NOT using caching then you might be vulnerable to the attack.
In order to mitigate this attack when your installation includes apache behind nginx we recommend you the following:
1. Refer to the above mentioned security advisory CVE-2011-3192 for apache and implement described measures accordingly.
2. Consider using nginx configuration below (in server{} section of configuration). This particular example filters 5 and more ranges in the request:
if ($http_range ~ "(?:\d*\s*-\s*\d*\s*,\s*){5,}") { return 416; }
We'd also like to notify you that for standalone nginx installations we've produced the attached patch. This patch prevents handling malicious range requests at all, instead outputting just the entire file if the total size of all ranges is greater than the expected response.
-- Igor Sysoev
_______________________________________________ nginx mailing list ngi...@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
-- Juan A. Moreno http://apostols.net Fingerprint GPG: 0FEE E0BF 2904 FE77 1682 2171 C842 DBF1 34BC CD04
_______________________________________________ nginx mailing list ngi...@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________ nginx mailing list ngi...@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx