..%2F and Nginx

Recently while playing with Nginx, I came across a thing that can be stupid, but I would like to share it with others.

As we all know, by default Nginx shows HTML content from the html folder and the full path depends on OS you are using. And nginx.conf the file will have the below content.

location / {
    root   html;
    index  index.html index.htm;
}

Now let me configure it as a reverse proxy for my demo application. I want to pass all requests to my upstream application and that application will handle all responses including 404. Will change the above code block in nginx.conf with below one

location / {
	proxy_pass http://localhost:8000/;
}

Now go to some random URL and check whether the reverse proxy is working or not. And yes it is working. It gave 404 because that upstream application doesn't have /randomurl path.

Now let me go to /..%2F URL path.  I am expecting a 404 from the application because that path does not exist. But Nginx gives 400.

The same thing exists for front-end applications (Single Page) which are packaged with Nginx and deployed on containers, VMs, etc. because it doesn't matter what is upstream application. Error is coming from Nginx.

And this is not the case only for ..%2F but any combination ..%da where d is a digit and a is an alphabet. and also for some ..%aa where a is an alphabet.

But don't worry if you have a cloud-specific load balancer in front of your applications then they will handle it. I checked with Azure, and AWS and got the below responses.

AWS

Azure

Not using Load Balancer

We can stop Nginx from returning the Nginx version using the following configuration in nginx.conf file.

http {
    #.....other settings.....

    server_tokens off;
}

It is possible to stop giving server names also in response headers. More info can be found https://stackoverflow.com/questions/24594971/how-to-changehide-the-nginx-server-signature

Fun fact

This blog post is using ghost and has Nginx. you can find it if I am wasting my time playing games and not fixing this issue.

Parikshit Patil

Parikshit Patil

Currently working as Software Engineer at Siemens Industry Software Pvt. Ltd. Certified AWS Certified Sysops Administrator - Associate.
Kavathe-Ekand, MH India