18 messages in ru.sysoev.nginxRe[4]: Regular Expression global redi...| From | Sent On | Attachments |
|---|---|---|
| altiamge | Feb 25, 2012 7:59 pm | |
| António P. P. Almeida | Feb 25, 2012 8:40 pm | |
| Edho Arief | Feb 25, 2012 10:09 pm | |
| Edho Arief | Feb 25, 2012 10:19 pm | |
| altiamge | Feb 25, 2012 11:26 pm | |
| Edho Arief | Feb 25, 2012 11:28 pm | |
| Mark Alan | Feb 26, 2012 4:18 am | |
| António P. P. Almeida | Feb 26, 2012 6:38 am | |
| Edho Arief | Feb 26, 2012 6:41 am | |
| altiamge | Feb 26, 2012 3:38 pm | |
| António P. P. Almeida | Feb 26, 2012 4:20 pm | |
| altiamge | Feb 26, 2012 4:25 pm | |
| António P. P. Almeida | Feb 26, 2012 4:40 pm | |
| altiamge | Feb 26, 2012 5:14 pm | |
| Max | Feb 26, 2012 10:33 pm | |
| António P. P. Almeida | Feb 27, 2012 2:12 am | |
| Max | Feb 27, 2012 7:46 pm | |
| António P. P. Almeida | Feb 28, 2012 4:09 am |
| Subject: | Re[4]: Regular Expression global redirect | |
|---|---|---|
| From: | Max (ngin...@mail.ru) | |
| Date: | Feb 27, 2012 7:46:38 pm | |
| List: | ru.sysoev.nginx | |
27 февраля 2012, 14:13 от António P. P. Almeida <ap...@perusio.net>:
On 27 Fev 2012 07h33 CET, ngin...@mail.ru wrote:
27 февраля 2012, 04:41 от António P. P. Almeida <appa at perusio.net>:
server { listen 80; server_name ~^www\.(?P<domain>.*)$; return 301 $scheme://$domain$request_uri; }
server { listen 80; server_name ~^(?P<domain_name>[^\.]*)\.(?P<tld>[^\.]*)$; location / { proxy_pass http://$domain_name.$tld; } }
This should work [1].
Your solution, while syntactically correct, is wrong by design. What you created there is an open anonymizing proxy that will pass any request from anyone to any host:port combination that contains only the domain name and the TLD, if a functional resolver has been set up using the resolver directive. Take a guess what this would do:
This deals with illegal Host headers:
server { listen 80 default_server; server_name _; server_name_in_redirect off; return 444; }
If by deals you mean gives a card to every player who wants one, then you are correct. :-P But it does nothing to close that open anonymizing proxy you created with the previous server block, anyone can still use your frontend server as an open anonymizing proxy to access any domain.tld:port they want, including fbi.gov:22.
Besides, server_name_in_redirect is off by default. Moreover, it's completely useless in that server block because you're just dropping the connection anyway. This would have been just as useful:
proxy_set_header Warning "CPU cycle wasting in progress...";
As for illegal Host headers, nginx takes care of those on its own and returns error code 400 without such blocks. The purpose of such blocks is to catch everything else that is not matched by defined server names. In your case, the other two server blocks already match any requests that have the Host header set to start with www or contain a domain.tld type of hostname, so your latest server block just catches everything else (requests with missing Host headers, IP addresses, nonwwwhostname.domain.tld hostnames etc.).
To put it simply - your configuration is wrong and should not be used, unless you want to "deal with" the FBI in the near future.
Max
_______________________________________________ nginx mailing list ngi...@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx