From 6b59800dc65fed855ecfdeb9fe40a37807ecfeb9 Mon Sep 17 00:00:00 2001 From: Alex Balgavy Date: Wed, 3 Mar 2021 12:21:06 +0100 Subject: Fix security vulnerabilities in suggested nginx configuration The suggested configurations for nginx found in the documentation and templates lead to vulnerabilities allowing host spoofing [1] and path traversal [2], as reported by Gixy [3]. This commit fixes those issues. [1] https://github.com/yandex/gixy/blob/master/docs/en/plugins/hostspoofing.md [2] https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md [3] https://github.com/yandex/gixy --- utils/templates/etc/nginx/default.apps-available/searx.conf:filtron | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'utils/templates/etc') diff --git a/utils/templates/etc/nginx/default.apps-available/searx.conf:filtron b/utils/templates/etc/nginx/default.apps-available/searx.conf:filtron index d3137e42d..a89aa38b3 100644 --- a/utils/templates/etc/nginx/default.apps-available/searx.conf:filtron +++ b/utils/templates/etc/nginx/default.apps-available/searx.conf:filtron @@ -3,7 +3,7 @@ location ${SEARX_URL_PATH} { proxy_pass http://127.0.0.1:4004/; - proxy_set_header Host \$http_host; + proxy_set_header Host \$host; proxy_set_header Connection \$http_connection; proxy_set_header X-Real-IP \$remote_addr; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; @@ -11,6 +11,6 @@ location ${SEARX_URL_PATH} { proxy_set_header X-Script-Name ${SEARX_URL_PATH}; } -location ${SEARX_URL_PATH}/static { - alias ${SEARX_SRC}/searx/static; +location ${SEARX_URL_PATH}/static/ { + alias ${SEARX_SRC}/searx/static/; } -- cgit v1.2.3