fastcgi_param HTTP_PROXY ""; is the soluntion, but why didn't they also mention HTTPS_PROXY? I have a HTTPS website, not HTTP.
Should I also add fastcgi_param HTTPS_PROXY ""; or not?
Stop changing the title.
Asked
Active
Viewed 237 times
1
TomCat
- 21
- 2
-
I think you need some more context! Who are "they"? What exactly are you trying to do? Since you have tagged it with nginx, I guess you are configuring and nginx server? Please [edit] your question to include relevant information. – Anders Mar 17 '17 at 11:47
1 Answers
1
Even if the context is missing I think you are referring to the httpoxy vulnerability where it is possible for an remote attacker to set the HTTP_PROXY environment variable using a HTTP Proxy header. The base of this vulnerability is that in a CGI environment the HTTP_xxx environment variable is set if the HTTP header xxx exists. Since this only affects HTTP_* variables and not HTTPS_* variables it does not affect HTTPS_PROXY.
Apart from that both HTTP_PROXY and HTTPS_PROXY are only relevant for requests done by the CGI script and is not related to how your site gets accessed.
Steffen Ullrich
- 184,332
- 29
- 363
- 424