4

From my own answer, I had to replace $host with $http_host to get my problem resolved...

But is this safe?

It seems like all $http_host is doing is to expose the whole HOST from header. The explanation here is still not clear to me...

Does anyone have any idea why would $http_host be more dangerous?

EDIT

Actually, this is my 3rd edit... I should reconsider my position on this after reading this: https://stackoverflow.com/questions/1459739/php-serverhttp-host-vs-serverserver-name-am-i-understanding-the-ma

I am not sure how nginx reacts to that, but do you guys think nginx would also inline with Chris's test result that neither is safe?

Under what circumstances, can you think of a way to exploit when using $http_host? Furthermore, why is it important to strip out the port number?

I understand that it is possible to compromise the network, and send in some Host: fake or old ip and then perform a rebind attack as I read somewhere else?

Community
  • 1
CppLearner
  • 787
  • 3
  • 10
  • 24

2 Answers2

5

$host is simply $http_host with some processing (stripping port number and lowercasing) and a default value (of the server_name), so there's no less "exposure" to the Host header sent by the client when using $http_host. There's no danger in this though.

mgorven
  • 30,615
  • 7
  • 79
  • 122
1

Checking all header values in application is needed. Though nginx can do some protection to your web-app, you should not rely only on it.

I believe it might be possible to write a webapp that is vulnerable to host header abuse through both $host and $http_host, but it isn't a reason to avoid it's usage in nginx config.

DukeLion
  • 3,259
  • 1
  • 18
  • 19