16 - 注意事項五, 12/11/2021 - 13:10 的修訂版本

修訂版本可以讓你追蹤文章的多個版本的不同之處。

 

 


Off-By-Slash

 

i.e.

location /api {
        proxy_pass http://apiserver/v1/;
}

request

http://server/api/user -> http://apiserver/v1//user

/../

# Nginx normalize "/v1/../" to "/"

http://server/api../ -> http://apiserver/v1/../ -> http://apiserver/

風險

Apache server-status being exposed with the URL http://server/api../server-status

Checking

http://server/api/user -> http://apiserver/v1//user

http://server/apiuser -> http://apiserver/v1/user

 


Missing "root" location on "server {...}" block

 

If you add a root to every location block then a location block that isn’t matched will have no root.

server {
    server_name www.example.com;
    location / {
        root /var/www/nginx-default/;
        # [...]
      }
    location /foo {
        root /var/www/nginx-default/;
        # [...]
    }
}

 


Server Name (If)

 

Since you’re requesting NGINX to check for the Host header for every request, it’s extremely inefficient.

server {
    server_name example.com *.example.com;
        if ($host ~* ^www\.(.+)) {
            set $raw_domain $1;
            rewrite ^/(.*)$ $raw_domain/$1 permanent;
        }
        # [...]
    }
}

建議做法

server {
    server_name www.example.com;
    return 301 $scheme://example.com$request_uri;
}
server {
    server_name example.com;
    # [...]
}

 


Incorrect return context

 

The return directive applies only inside the topmost context it’s defined in.

A request to /a/test.html will return a 301.

server {
    location /a/ {
        try_files test.html =404;
    }
    return 301 http://example.org;
}

 


Passing Uncontrolled Requests to PHP

 

[1] Proxy Everything

server {
    server_name _;
    root /var/www/site;
    location / {
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_pass unix:/tmp/phpcgi.socket;
    }
}

[2]

當 non-exist.php 不存在時, php 會嘗試執行 exist.jpg

location ~* \.php$ {
    #/forum/avatar/exist.jpg/non-exist.php
    fastcgi_pass backend;
    ...
}

 


"try_files $uri" directive with "alias"

 

 

 


$request_filename

 

Use $request_filename instead of $document_root$fastcgi_script_name.