Questions tagged [nginx]
nginx [engine x] is an HTTP and reverse proxy server, written by Igor Sysoev
191 questions
0
votes
1
answer
98
views
the integration of NGINX and HSM in TLS offloading
I'm trying to understand the interaction between NGINX and a Hardware Security Module (HSM) during TLS offloading, particularly in relation to session key handling.
Here's my current understanding:
...
- 51
8
votes
1
answer
2k
views
Is Free Nginx Suspect/Sketchy? [closed]
There is a website (https://freenginx.org) which allows you to use Free Nginx, but it has to be compiled from source, and it appears to originate from Russia, but so does nginx.
It includes CVEs as ...
- 1,601
0
votes
1
answer
196
views
Setup Tor Hidden Service Anonymously
I've recently become interested in setting up a hidden TOR service.
Can my ISP detect that I am hosting a hidden server?
Is the first relay able to detect what address I am hosting?
- 11
0
votes
1
answer
248
views
How exploitable is a redirect caused by sending a malicious X-Forwarded-Host header?
I have an Nginx reverse proxy that connects to different servers in the back-end according to the SNI. Recently it was pointed to me that if I add a header X-Forwarded-Host to something like https://...
0
votes
1
answer
157
views
Nginx Fails to Load PKCS#11 Key—But Works with strace. Why?
I'm trying to set up an Nginx proxy that uses a private key stored in SoftHSM through a SSH socket connection. The setup is as follows:
[SoftHSM Container] -----ssh -R ...... --> [Nginx Proxy ...
- 51
1
vote
1
answer
140
views
(nginx) ssl_certificate_key in Handshake of TLS 1.2 and 1.3
I am confused about the TLS handshake process in TLS 1.2 and TLS 1.3.
When configuring Nginx with SSL enabled, does the ssl_certificate_key play a role in the TLS handshake itself, or is it only used ...
- 51
1
vote
0
answers
104
views
Is reducing the webserver stack from Caddy, NGINX and PHP-FPM to only Caddy and PHP-FPM a reduction in layered-security?
I have a situation where a webserver behind a network firewall is ran inside of Docker containers. It is setup in this order:
Caddy webserver - acts as WAF, GEOIP block, IP blacklist, HTTP Security ...
- 7,715
1
vote
0
answers
128
views
How nginx proxy to communicate with remote softHSM for offloading?
I am setting up a nginx proxy. It requires to use HSM for TLS offloading. So I configure nginx that enables ssl_engine pkcs11;; instead of indicating ssl_certificate_key file path, I use pkcs11 URI to ...
- 51
1
vote
1
answer
906
views
Can anyone provide any advice on this Logwatch analysis?
I received this Logwatch report:
Connection attempts using mod_proxy:
xx.xx.xxx.xx -> codeforces.com:443: 1 Time(s)
A total of 2 possible successful probes were detected (the following URLs
...
- 11
2
votes
1
answer
145
views
How can malicious user change file on server without it being logged in server logs and how to protect against it?
Our server has been hacked, .php file accessible from outside was modified to include execution of shell commands passed in POST parameter. I've been inspecting relevant log file and couldn't find the ...
- 23
0
votes
1
answer
540
views
How do I unblock a request uri in Modsecurity CRS?
I have installed a Nginx WAF with Modsecurity CRS. This WAF protects a backend WordPress.
One request from one of the plugins generated a false positive on the Modsecurity with the rule id 933120.
I ...
- 101
0
votes
2
answers
339
views
Automatically check if a certificate matches specific ciphers
My nginx backend server supports the following ciphers:
ssl_ciphers "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:...
- 1
2
votes
1
answer
682
views
Modsecurity blocks blocks my legit XHR POST request (403 forbidden)
I'm new to modsecurity topic so maybe my question is stupid but...
I have setup modsecurity on my new nginx/1.24.0 server with default set of recommended rules: coreruleset-3.3.0 and since then my ...
- 121
2
votes
2
answers
921
views
How do you verify if a request is from a genuine user or from a malicious user? [closed]
Consider client A, which wants to verify payments, and server B, which verifies payments.
Client A sends around a million requests to server B's API in a single day.
However,:
only 1% of the requests ...
- 163
0
votes
0
answers
330
views
How to reproduce Tomcat 9.0.0.M1 HTTP smuggling vulnerabilities?
I'm trying to reproduce some of the Tomcat 9.x.x vulnerabilities from this list, in particular the HTTP smuggling vulnerabilities. However, so far I haven't been able to reproduce any of them. ...
0
votes
2
answers
2k
views
docker daemon reports 'tls: unconfigured cipher suite' for Nginx reverse proxy of Artifactory Docker registry
I am migrating to Artifactory on RHEL8 as a Docker remote repository, i.e. Artifactory is a proxy for a docker registry hosted through Jfrog.io.
We have a legacy registry with config in /etc/docker/...
- 581
0
votes
1
answer
288
views
Does using Apache/nginx actually improve security of a webapp?
Let's say there is a webapp where users can upload files with sensitive data and view analytics generated by the backend. Does using a reverse proxy like nginx or Apache actually help with the ...
- 123
0
votes
0
answers
913
views
HTTP request smuggling on NGINX gives error 400?
I'm learning about HTTP request smuggling and for this i'm trying to "break" into a broken site that is running under docker. The architecture of the site is Cache -> NGINX -> site. ...
3
votes
0
answers
1k
views
Weird hack attempt nginx proxy manager and photoprism drives me nuts
I have a logged http request in nginx logs which drives me nuts because I don't understand how it's finding its way into the logs:
[03/Jul/2023:13:45:04 +0000] 400 - GET http localhost "/bin/...
- 31
0
votes
2
answers
802
views
Getting a couple of remote login and calls into Ubuntu server?
I have a ubuntu server (Ubuntu 22.10 x64) on Digital Ocean. And I am using fastapi, uvicorn, gunicorn and nginx as I used it for my backend api calls from my frontend and my frontend IP is dynamic.
...
- 1
0
votes
0
answers
1k
views
Arbitrary File Upload Vulnerability
I have found an arbitrary file upload vulnerability on a flask application that I was playing with that essentially allows me to append to any file (and create new ones) in the file system. The code ...
1
vote
1
answer
2k
views
Website randomly downloading html files to visitors [closed]
Another behaviour I found on a website with malware issues.
It keeps downloading random files like one named s2bbGoEJ.html to users computers. It actually tried to automatically download one such file ...
- 11
0
votes
1
answer
667
views
Cloudflare not hide VPS IP (ngnix)
I have a problem with hiding the VPS IP using Cloudflare. My IP can be found on search.censys.io. I don't have any DNS leaks. I'm using nginx to reverse proxy a node.js server. Is it possible to hide ...
user289879
1
vote
1
answer
475
views
Do you encrypt traffic between GKE nodes and external Load balancers?
I have a GKE standard deployment in GCP. I have TLS terminating at an IAAS managed load balancer, provided by their Ingress controller. The certificates are GoogleManagedCertificates. I'm fine with ...
- 113
1
vote
2
answers
437
views
Can an NGINX reverse proxy reveal the backend if serving non-static content?
My setup consists of a public-facing VPS running NGINX, and a local machine running certain services. The VPS and the local machine are connected using WireGuard, and NGINX on the VPS is using ...
1
vote
2
answers
4k
views
How bad it is to open qBittorrent web UI port
I have small home server that runs a qBittorrent in docker container, and I was wondering how bad/risky it is if I'd forward the port for the web UI so I can access it from outside my network.
I know ...
- 111
2
votes
1
answer
994
views
Is better for security to not run Nginx and Backend inside docker but use docker only for database and not external exposed services?
I'm not a Docker specialist, I know how to install, configure and do only basic Docker hardening based on Docker official documentation.
I know nothing about AppArmor,SELinux and GRSEC.
But i need to ...
- 21
0
votes
1
answer
632
views
Suspicious looking requests to my NGINX server
For the past 2 weeks, I have observed 4-5 spikes in 5xx responses. After looking into the logs, I found a series of:
> 51.159.150.125 - - [16/Sep/2022:06:37:55 +0200] "GET /some-legitimate-...
- 135
1
vote
0
answers
198
views
When passing through SSL from web server A to web server B (via nginx), does web server A need SSL configured as well, or just web server B?
I'm using nginx here as an example, but this is really more of a conceptual question about SSL termination and TCP that could apply to any web server.
Basically, if web server A receives TCP traffic ...
- 111
0
votes
0
answers
390
views
Very slow SOAP POST request processing with ModSecure for certain rules (SQL, IIS and system exploits)
While trying to implement NGinx WAF with ModSecurity 3.0.6 I am facing the issue with very poor XML SOAP POST performance. Rrequests takes ~5 seconds with occasional spikes up to 10 seconds.
If I ...
- 1
0
votes
0
answers
18
views
Can anyone help finding what's shady things are logged on my nginx webserver? [duplicate]
I have a hosted a simple react website(testing) with nginx webserver and cloudflare as ssl provider.My website is down from few days with cloudflare error 525 "SSL handshake failed".I was ...
0
votes
1
answer
290
views
Ruby on Rails: Request to http://\localhost/admin/config.php
I got an exception notification for a request from 92.118.39.180:61001 to: http://\localhost/admin/config.php
This is the notification:
-------------------------------
Request:
------------------------...
- 103
0
votes
1
answer
430
views
How might I rate-limit in nginx against a distributed attacker that has set the number of parallel connections in xerxes to 1?
An attacker tweaks xerxes by setting the number of CONNECTIONS in xerxes to 1 instead of 8, like so:
#define CONNECTIONS 1
They then attack with xerxes-executable mydomain 433.
Their strategy is to ...
- 137
0
votes
1
answer
936
views
TLS session tickets between proxy and upstreams
I'm planning to implement (nginx) ssl_session_tickets in addition to ssl_session_cache between a proxy and upstream. They're not located in the same DC so TLS must be in place.
My questions are : 1) ...
- 103
0
votes
1
answer
788
views
LAN Only Webserver
I am on a 192.x.x.x network and have a local server that hosts some webapps for the local users of the network. The server is running:
Ubuntu
VPN
Nginx Reverse Proxy with the site.conf including: ...
2
votes
1
answer
931
views
What are NGINX reverseproxy users doing to prevent HTTP Request smuggling?
Since NGINX does not support sending HTTP/2 requests upstream, what are the present NGINX reverseproxy users doing to mitigate HTTP Request Smuggling vulnerability?
I understand that the best way to ...
- 21
2
votes
1
answer
3k
views
Should we enable UFW for EC2 (Ubuntu Server) instance with Nginx?
I just finished installing Nginx on my EC2 Ubuntu Server (AWS) and everything looks normal.
I tested it on my browser by accessing my EC2 public IP. I can see Nginx's welcome message.
It's not a big ...
- 23
1
vote
1
answer
615
views
How to stop multiple port access attempts - multiple TIME_WAIT and ESTABLISHED lines on ports 80, 443, etc... from external IPs
I have nginx as reverse proxy and apache in the back, a firewall setup to enable just http and https, and ssh.
netstat -tlupna gives me tens of lines with multiple TIME_WAIT or ESTABLISHED lines ...
- 13
0
votes
0
answers
315
views
Possible VNC-over-HTTP exploit involving Nginx?
I have the following setup Nginx + php-fpm, Nginx is running on port 80 and 443.
Recently I noticed that connections were made from this servers port 80 to a remote machine on port 580x. [ src port is ...
- 41
0
votes
1
answer
560
views
Why is my SecAction rule being ignored?
I'm trying to configure a
SecAction rule to help me tune ModSecurity 3 following this How to tune your WAF installation to reduce false positives tutorial, but the rule seems to be ignored and the msg ...
- 51
1
vote
1
answer
3k
views
Blocking nginx from nmap version detection [duplicate]
Is there an efficient way to hide nginx from Nmap's Version Detection scan (nmap -sV)? The following is a sample result, we are trying to hide the nginx (reverse proxy) string.
PORT STATE SERVICE ...
- 13
0
votes
1
answer
609
views
How to use DH certificate to configure nginx server
My purpose is to leverage DH algorithm to enhance self-signed certificate (A toy in local computer).
I refered the answer of Matt Caswell. It works fine to generate the dhcert.pem but fail to ...
1
vote
1
answer
484
views
Encryption with Tomcat & Nginx reverse proxy
I'm working with Tomcat and nginx as a reverse proxy and I'm trying to have a better understanding of how the traffic flows and of what the security issues are. Picture this as what I have in mind:
...
- 11
1
vote
1
answer
2k
views
Changing $_SERVER['REMOTE_ADDR'] remotely
On a nginx web-server running the following config is to possible to change $_SERVER['REMOTE_ADDR'] remotely?:
user www;
pid /run/nginx.pid;
error_log /dev/stderr info;
events {
...
- 45
1
vote
1
answer
3k
views
Spam GET And POST Requests - Are They Dangerous?
I am getting a lot of spam GET and POST requests lately which some of them look like this:
"GET /config/getuser?index=0 HTTP/1.1" 404 143 "-" "Mozilla/5.0 (X11; Ubuntu; Linux ...
user257368
1
vote
1
answer
865
views
Can a machine running a packet sniffer see what nginx is forwarding on localhost to a Flask app?
I want to serve a Flask application from my pc. Other machines in my network only should be able to consume the API. However, I wish to have the communication between the other machines and the API ...
- 113
2
votes
2
answers
407
views
Is it unsafe to publish your nginx configs?
I've recently started to automate a lot of my tasks for my private VPS. A significant part of working with this server is ensuring the nginx webserver, which handles a reverse proxy to multiple ...
- 123
2
votes
3
answers
979
views
Is there any way for a client to view headers set by an NGINX reverse proxy?
I am setting up an NGINX reverse proxy, which sits in front of an API. I would like to use:
proxy_set_header X-Secret-Key ${SECRET_VALUE};
to add a token to the request, which is then read by the API. ...
- 121
3
votes
0
answers
204
views
Is this nginx config suitable to enforce proper authorization?
Scenario
I have a website secret.example.com, which contains information which must not be disclosed to third parties. In order to protect the information, TLS client authentication was chosen. ...
user163495
1
vote
1
answer
1k
views
Why is php-fpm trying to connect somewhere on port 443?
I have nginx and php-fm set up to front a word press site. I used certbot to setup TLS.
When I load any page, I see selinux violations and it looks like php-fpm is trying to reach out to some port ...
- 320