Hacker News new | past | comments | ask | show | jobs | submit | moduloo's comments login

http://nginx.org/en/docs/http/ngx_http_limit_req_module.html


good tip. thank you. sorry I removed the parent while you were posting, just realized I was answering to the wrong message.


semi-optimal setup; ip_hash might give you issues if you have to server a lot of mobile-clients (at least here in europe), because of central proxies used by mobile-providers. this one might help if you need stickyness: https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng/o...

instead of "if ($host !~ ^(api.yourdomain.com)$ )" you should use a "server_name api.yourdomain.com;" - directive for your proxy_config and a catch_all - server{} block that consist only of "return 444;" to avoid that "if"-processing on any request.

oh, and you might want to use "ssl_session_cache shared:SSL:1440m;" for better performance (adjust the timeframe accordingly, i've seen values from 10 minutes up to 48hours like google)

> SSL certs tend to be rather confusing ... no not, really, but i leave it up to you to figure out what a key is and what a cert :D


Awesome, thanks so much moduloo!

This is very helpful, I'll definitely be using this to update my nginx.conf file!


suphp, but only if your are stupid enough to switch safe_mode On

https://8ack.de/guides/suphp_shellshock


suphp might be exploitet, but only with stupid settings

https://8ack.de/guides/suphp_shellshock


> but fastcgi_params does not put attacker controlled data into environment variables

it does

https://gist.github.com/anonymous/ea60dc2915eccf0b803e


It looks like you have dumped the a PHP global variable, possibly $_ENV. Do you know of any circumstances where _ENV, or any other PHP variable with potentially untrusted data, is passed in environment variables?


i'm working on it it, but it looks like it works only under rare conditions


i wasnt able (yet) to exploit php-fpm, although i was able to sneak the user-agent into it and had an exploitable bash and a system() - call within this file

output -> https://gist.github.com/anonymous/ea60dc2915eccf0b803e

index.php -> https://gist.github.com/anonymous/883b989caba4156e47b6

but maybe suphp seems a little more suspicious?

/etc/suphp/suphp.conf ...

[handlers] ;Handler for php-scripts application/x-httpd-suphp="php:/usr/bin/php-cgi"

;Handler for CGI-scripts x-suphp-cgi="execute:!self"


https://access.redhat.com/articles/1200223

CUPS probably too, but no POC seen yet


your setup is pretty bad (performance and security), here comes why:

1. combine all listen 80 - serverblocks into one, and then

return 301 https://$host$request_uri; instead of rewrite, it is faster and you can skip the if (scheme) - part, because if is evil http://wiki.nginx.org/IfIsEvil

2. where are your ciphers? they are bad anyway and doesnt seem to be the defaults, and RC4 as preferred ciphers, phew!

3. you are vulnerable to the latest CCS-vuln https://8ack.de/scan/result/sslvulns/71ba019e9d4bf25fd422ab0...

4. you use an quite old nginx-version; debian? you should use a newer one that supports SPDY (faster loading for all those images)

5. OH NOES .... https://wbsrch.com/admin/ rule nr. 1: never expose admin/backend-logins to the interwebs

6. no HSTS

7. you support TLS 1.2., but no PFS, is there a reason for this? otherwise, this is a bad decision https://www.ssllabs.com/ssltest/analyze.html?d=wbsrch.com

8. define STATIC - resouces with django; advantage: you dont have to try_files and can skip the regex-location for static content https://docs.djangoproject.com/en/dev/howto/static-files/

9. why did you turned off ssl_session_cache??? https://www.mare-system.de/guide-to-nginx-ssl-spdy-hsts/#opt...

10. use proxy_cache for /

11. turn off server_tokens e3c4676d14a8ddd07d140f6d3e771ae8994ff5f4a159ba70fa5f5a9eaf026ada9a9f61021ef5ec27466718573c8a73621d119c385eb284fe322eaefaff2d1b42

more on nginx + ssl: https://www.mare-system.de/guide-to-nginx-ssl-spdy-hsts/


sslabs gives you grade F https://www.ssllabs.com/ssltest/analyze.html?d=wbsrch.com

btw, where are your cipher_suites from?


i think it depends on the terms&conditions of google's playstore. just because you are german doesnt meant you cant ge sued by american laws, and i know that german and american laws are quite dirrefent when it comes to compensation (schadensersatz).

suggestions: delete references to "Yo" from your product-name (name it Jo instead); "Yo" is a registered trademark; you wouldnt name a chocolate you created "ritter sport", even if your name was armin ritter


any demo-site available?


Yes: http://9ol.es/BOOTSTRA.386/


I guess HN is hitting that site pretty hard. It even downloads at 80s speeds!


downlaod -> http://9ol.es/BOOTSTRA.386/assets/bootstrap.zip -> 404


It looks like they just cloned the bootstrap website and changed the theme. They probably don't include bootstrap.zip because this is just a demo, and they wouldn't have the bandwidth to distribute all of bootstrap as a zip file.


Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: