Opened 11 years ago
Closed 11 years ago
#359 closed enhancement (fixed)
DENY ALL ignored when using unix sockets
| Reported by: | Jevgeni Kiski | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-core | Version: | 1.2.x |
| Keywords: | Cc: | ||
| uname -a: | Linux server 3.8.0-19-generic #30-Ubuntu SMP Wed May 1 16:35:23 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.2.6 (Ubuntu)
TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --with-pcre-jit --with-debug --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --with-mail --with-mail_ssl_module --add-module=/home/user/nginx-1.2.6/debian/modules/nginx-auth-pam --add-module=/home/user/nginx-1.2.6/debian/modules/nginx-echo --add-module=/home/user/nginx-1.2.6/debian/modules/nginx-upstream-fair --add-module=/home/user/nginx-1.2.6/debian/modules/nginx-dav-ext-module --add-module=/home/user/nginx-1.2.6/debian/modules/nginx-rtmp-module |
||
Description
HowTo reproduce:
Lets create a folder in /tmp with a file
mkdir /tmp/secure
echo 'My secret' > /tmp/secure/secret.txt
Then lets create a virtual server that listens to an unix socket:
server {
server_name _;
listen unix:/var/run/secure.sock;
root /tmp/secure;
deny all;
location / {
index index.html;
}
}
Note: I also added deny all inside server block
in main server configuration we add proxy_pass to our newly created "secure" virtual server
location ^~ /secure/ {
proxy_pass http://unix:/var/run/secure.sock:/;
}
reloading configuration and trying to access http://localhost/secure/secret.txt
We got contents! How? Deny all did not work
Expected:
403 Forbidden
Received:
200 OK with contents
Testing same thing but with ports:
Replacing sockets with ports:
server {
server_name _;
listen 8080;
root /tmp/secure;
deny all;
location / {
index index.html;
}
}
And main server:
location ^~ /secure/ {
proxy_pass http://0.0.0.0:8080/;
}
Reloading configuration and trying to access http://localhost/secure/secret.txt
403 Forbidden. As expected!
Change History (5)
comment:1 by , 11 years ago
| Priority: | major → minor |
|---|---|
| Type: | defect → enhancement |
comment:2 by , 11 years ago
| Status: | new → accepted |
|---|
comment:3 by , 11 years ago
This looks like a security issue to me. It would be great to update documentation so people would know that access control is not supported for unix sockets. http://nginx.org/en/docs/http/ngx_http_access_module.html
comment:5 by , 11 years ago
| Resolution: | → fixed |
|---|---|
| Status: | accepted → closed |
Yes, the deny/allow directives are only able to work with IPv4 and IPv6 addresses. Support for unix socket clients should be added, see http://mailman.nginx.org/pipermail/nginx-devel/2013-May/003752.html.