On Thu, 27 Apr 2006, Alexander Lazic wrote:

It's name-based virtual hosts. nginx serves about 10% of .ru name-based virtual hosts. The physical instances I suppose are about 1000, no more.

The most sites are Russian or ex-USSR countries sites.

I use nginx at job: www.rambler.ru, the one of the largest Russian search engines, portals and free e-mail servers. Some our sites handle up 1000-2500 request/seconds and have 10000-30000 keep-alive connections.

There are also at least 1) 3 large free hosting sites, 2) 3 large free foto hosting sites. 3) 2 large blogs sites, 4) 2 large dating sites, 5) 1 large free e-mail site.

The more popular software, the more people look sources to find security bugs.

Currently, nginx had two security bugs.

First bug is similar to http://www.securityfocus.com/archive/1/390664 You have not to combine scripts root and static files root, but if FastCGI scripts are located in /www and you are using configuration:

location / { root /www; }

location ~ \.php$ { fastcgi_pass localhost:9000; ... }

then you was able to see PHP source code, using "/script.php%00",

Now nginx simply return 404 if URI mapped to static file has '\0' in any place.

Second bug. If upstream returns "X-Accel-Redirect: /protected/uri", then nginx does internal redirect. This allows to handle large protected downloads.

location /protected/ { internal; root ...; }

The "internal" directive allows access to this location only for internal redirects and rewrites.

nginx allowed ".." in X-Accel-Redirect, so if someone has cracked backend, he was able to get files outside the location root.