1

Please help me to prevent "host header injection vulnerability" in the given "Nginx configuration file"

 server {
    listen 80 default_server;
    listen [::]:80 default_server;       
    root /var/www/html;        
    index index.html index.htm index.nginx-debian.html;
    server_name _;
            location / {
            proxy_pass http://IP_1/;
            proxy_set_header Host $http_host;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Scheme $scheme;
            add_header Cache-Control "no-cache";                
    }
    location /kuphubadmin/ {                
            proxy_pass http://IP_2/;
            proxy_set_header Host $http_host;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Scheme $scheme;
            add_header Cache-Control "no-cache";
   }}

Note: The above server is used as a proxy server.

aks
  • 37
  • 1
  • 6
  • This configuration already sets the Host header. Your question title says you don't want the Host header, but the question body says the opposite, that you do want the Host header. Can you please clarify which one you actually want? – Michael Hampton Aug 10 '20 at 16:31
  • Thanks for the reply. Actually I want to prevent the "host header injection vulnerability" in this server. Some security audit has done in this server and them said that in this server no steps were taken to prevent the "host header injection vulnerability". – aks Aug 11 '20 at 02:58

1 Answers1

3

The "host header injection vulnerability" means that your server is accepting any Host header even if it is not a valid hostname for any of your web sites. In your case you have configured a catch-all server block that responds to any hostname and sends all such requests to your web application.

This is easy to fix in nginx.

First, you need to leave alone the default server block that shipped with nginx. Do not change it in any way. This will catch requests with invalid Host headers and send them only a harmless "the web server is working" document, or a 403 Forbidden error, or both.

Second, you need to specify only the valid hostnames for your site in the server_name directive of your custom server block. Don't use _. For example server_name example.com www.example.com;

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • 1
    This solution doesn't work out of box. If you have nginx configured even with `server_name`, then you will still be able to inject host headers. – Cesar Flores Jul 27 '22 at 18:48