id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 1223 Missing error pages + deny + try_files results in full body being returned Kevin Fischer "We've experienced a very weird behaviour today, which potentially is a security hazard to incorrectly setup nginx servers. We've tried to deny access to one directory, but nginx would always end up returning a 404 status code along with the full body response of the resource that we tried to deny. Following are the parts of our config that caused this bug: {{{ server { try_files $uri $uri/ /index.php?$args; ... error_page 403 /errorpage/403.html; error_page 404 /errorpage/404.html; ... location /internal/ { allow 127.0.0.0/24; deny all; } ... location = /index.php { ... } }}} The problem with our setup was that the error page directory and its contents were missing. nginx correctly denied access by returning a 403, which lead to it trying to load the 403 error page file. As this file did not exist, it fell back to the 404 error page, which also didn't exist, so in the internal request that tried to resolve the 404 error page, try_files seemingly redirected to index.php, as configured. The result was that instead of a 403 response with appropriate error page, nginx returned a 404 with the body that should not have been accessible. The error log even showed an ""access forbidden by rule"" entry, even though nginx ended up delivering the forbidden content. As soon as we've created the error page files, everything worked as expected. I understand that this is partly a user fault, as we forgot to create the error page directory; but never the less it seems to us like this edge case behaviour is just plain incorrect and a potential security hazard." defect closed major nginx-core 1.10.x invalid Linux xyz 4.4.0-66-generic #87-Ubuntu SMP Fri Mar 3 15:29:05 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux "nginx version: nginx/1.10.0 (Ubuntu) built with OpenSSL 1.0.2g 1 Mar 2016 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-threads"