BUG - cannot include files with * mask on windows server 2012r2

[axos88@…]

Adding include C:/nginx/nginx-1.10.1/conf/sites-enabled/*; to the nginx conf results in the following error (maybe when enumerating the contents of the directory, it tries to read . and .. as well?):

==> error.log <==
2016/11/24 13:35:54 [error] 6168#18144: ReadFile() "C:/nginx/nginx-1.10.1/conf/sites-enabled/.." failed (1: Incorrect function)

==> nginx.log <==
nginx: [error] ReadFile() "C:/nginx/nginx-1.10.1/conf/sites-enabled/.." failed (1: Incorrect function)

nginx -V:

nginx version: nginx/1.10.1
built by cl 16.00.30319.01 for 80x86
built with OpenSSL 1.0.2h 3 May 2016
TLS SNI support enabled
configure arguments: --with-cc=cl --builddir=objs.msvc8 --with-debug --prefix= --conf-path=conf/nginx.conf --pid-path=logs/nginx.pid --http-log-path=logs/access.log --error-log-path=logs/error.log --sbin-path=nginx.exe --http-client-body-temp-path=temp/client_body_temp --http-proxy-temp-path=temp/proxy_temp --http-fastcgi-temp-path=temp/fastcgi_temp --http-scgi-temp-path=temp/scgi_temp --http-uwsgi-temp-path=temp/uwsgi_temp --with-cc-opt=-DFD_SETSIZE=1024 --with-pcre=objs.msvc8/lib/pcre-8.38 --with-zlib=objs.msvc8/lib/zlib-1.2.8 --with-select_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_stub_status_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_slice_module --with-mail --with-stream --with-openssl=objs.msvc8/lib/openssl-1.0.2h --with-openssl-opt=no-asm --with-http_ssl_module --with-mail_ssl_module --with-stream_ssl_module --with-ipv6

Also happens with 1.11.6:

$ ../../nginx.exe -V
nginx version: nginx/1.11.6
built by cl 16.00.30319.01 for 80x86
built with OpenSSL 1.0.2j 26 Sep 2016
TLS SNI support enabled
configure arguments: --with-cc=cl --builddir=objs.msvc8 --with-debug --prefix= --conf-path=conf/nginx.conf --pid-path=logs/nginx.pid --http-log-path=logs/access.log --error-log-path=logs/error.log --sbin-path=nginx.exe --http-client-body-temp-path=temp/client_body_temp --http-proxy-temp-path=temp/proxy_temp --http-fastcgi-temp-path=temp/fastcgi_temp --http-scgi-temp-path=temp/scgi_temp --http-uwsgi-temp-path=temp/uwsgi_temp --with-cc-opt=-DFD_SETSIZE=1024 --with-pcre=objs.msvc8/lib/pcre-8.39 --with-zlib=objs.msvc8/lib/zlib-1.2.8 --with-select_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_stub_status_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_slice_module --with-mail --with-stream --with-openssl=objs.msvc8/lib/openssl-1.0.2j --with-openssl-opt=no-asm --with-http_ssl_module --with-mail_ssl_module --with-stream_ssl_module

[Maxim Dounin]

On Windows, nginx uses FindFirstFile() / FindNextFile() functions to resolve masks given in include directives. No additional filtering is done after it. It happens to behave slightly differently than glob() used on Unix, in particular, bare * doesn't match dot-files (to match them, one should explicitly write dot in a pattern, like .*, see ​here).

As a result, a pattern you've wrote matches . and .. directory entries on Windows, leading to errors. Not sure if we want to do anything with this, probably no.

An obvious solution is to use a more restrictive pattern instead, for example:

include .../*.conf;

Note well that using bare * is an unsafe practice and not recommended even on Unix.

[axos88@…]

Hmm, interersting, that's how nginx cookbook generates its configuration by default. Includes everything under sites-enabled

[axos88@…]

Can't we just skip anything that is not a file? Would probably bork if there are matched subdirectories as well?

[axos88@…]

Even if we don't modify it, it would be nice to add a note in the docs about this caveat / limitation. Btw, why is the * unsafe?

[Maxim Dounin]

Hmm, interersting, that's how nginx cookbook generates its configuration by default.

Well, someone is always wrong on the Internet.

Can't we just skip anything that is not a file?

We can, but this implies additional code to check the files. Also, this can cause various other unexpected effects, e.g., such an approach can breaks symlinks, or, e.g., pipes. Using proper mask is much easier and implies no unrelated breakage.

Btw, why is the * unsafe?

Because in practice there are lots of situations when bare * matches unintended things, and we constantly see users being bitten by this. For example, there are editors which store temporary files with suffix ~.

[axos88@…]

Gotcha. So it's not unsafe as in security, but unsafe as in it's going to cause you pain and suffering.

Already opened an issue with the cookbook.

[Maxim Dounin]

Closing this, using proper configuration is believed to be good enough solution.