From 6b59800dc65fed855ecfdeb9fe40a37807ecfeb9 Mon Sep 17 00:00:00 2001 From: Alex Balgavy Date: Wed, 3 Mar 2021 12:21:06 +0100 Subject: [PATCH] Fix security vulnerabilities in suggested nginx configuration The suggested configurations for nginx found in the documentation and templates lead to vulnerabilities allowing host spoofing [1] and path traversal [2], as reported by Gixy [3]. This commit fixes those issues. [1] https://github.com/yandex/gixy/blob/master/docs/en/plugins/hostspoofing.md [2] https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md [3] https://github.com/yandex/gixy --- docs/admin/filtron.rst | 2 +- docs/admin/installation-nginx.rst | 16 ++++++++-------- .../default.apps-available/searx.conf:filtron | 6 +++--- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/docs/admin/filtron.rst b/docs/admin/filtron.rst index 503a4d51..41c4a31d 100644 --- a/docs/admin/filtron.rst +++ b/docs/admin/filtron.rst @@ -173,7 +173,7 @@ Use it along with ``nginx`` with the following example configuration. location /searx { proxy_pass http://127.0.0.1:4004/; - proxy_set_header Host $http_host; + proxy_set_header Host $host; proxy_set_header Connection $http_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/docs/admin/installation-nginx.rst b/docs/admin/installation-nginx.rst index 430ebbcc..97966c8c 100644 --- a/docs/admin/installation-nginx.rst +++ b/docs/admin/installation-nginx.rst @@ -182,7 +182,7 @@ Started wiki`_ is always a good resource *to keep in the pocket*. location /searx { proxy_pass http://127.0.0.1:4004/; - proxy_set_header Host $http_host; + proxy_set_header Host $host; proxy_set_header Connection $http_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -190,8 +190,8 @@ Started wiki`_ is always a good resource *to keep in the pocket*. proxy_set_header X-Script-Name /searx; } - location /searx/static { - alias /usr/local/searx/searx-src/searx/static; + location /searx/static/ { + alias /usr/local/searx/searx-src/searx/static/; } @@ -205,7 +205,7 @@ Started wiki`_ is always a good resource *to keep in the pocket*. location /morty { proxy_pass http://127.0.0.1:3000/; - proxy_set_header Host $http_host; + proxy_set_header Host $host; proxy_set_header Connection $http_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -309,8 +309,8 @@ Started wiki`_ is always a good resource *to keep in the pocket*. proxy_buffering off; } - location /searx/static { - alias /usr/local/searx/searx-src/searx/static; + location /searx/static/ { + alias /usr/local/searx/searx-src/searx/static/; } The ``X-Script-Name /searx`` is needed by the searx implementation to @@ -328,8 +328,8 @@ Started wiki`_ is always a good resource *to keep in the pocket*. uwsgi_pass unix:/run/uwsgi/app/searx/socket; } - location /searx/static { - alias /usr/local/searx/searx-src/searx; + location /searx/static/ { + alias /usr/local/searx/searx-src/searx/; } For searx to work correctly the ``base_url`` must be set in the diff --git a/utils/templates/etc/nginx/default.apps-available/searx.conf:filtron b/utils/templates/etc/nginx/default.apps-available/searx.conf:filtron index d3137e42..a89aa38b 100644 --- a/utils/templates/etc/nginx/default.apps-available/searx.conf:filtron +++ b/utils/templates/etc/nginx/default.apps-available/searx.conf:filtron @@ -3,7 +3,7 @@ location ${SEARX_URL_PATH} { proxy_pass http://127.0.0.1:4004/; - proxy_set_header Host \$http_host; + proxy_set_header Host \$host; proxy_set_header Connection \$http_connection; proxy_set_header X-Real-IP \$remote_addr; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; @@ -11,6 +11,6 @@ location ${SEARX_URL_PATH} { proxy_set_header X-Script-Name ${SEARX_URL_PATH}; } -location ${SEARX_URL_PATH}/static { - alias ${SEARX_SRC}/searx/static; +location ${SEARX_URL_PATH}/static/ { + alias ${SEARX_SRC}/searx/static/; }