1

First, I am not sure if this is right place to put my question. But it relate to ngnix configuration done by certbot on my server. It add following line for domain in configuration

location ~ "^/.well-known/acme-challenge/(.*)$" {

default_type text/plain;

return 200 "$1.JNpbG5iba8ymsxdlOr_9u1lAMl4jlh8gr-rAXwFysMM"; }

This results in Url activate with inline insert to HTML i.e. if a user call http://domain/.well-known/acme-challenge/<h1>tag</h1>then a HTML page appears with that h1 tag, which is recorded as High security risk in our security scan.

I am not sure how to fix, and if it is really a security problem? as it is not related to my code files, and it cannot access our files or database directly. but certainly it can be used for forgery and related hacks.

Please guide me.

Community
  • 1
Sumit Gupta
  • 111
  • 4

1 Answers1

0

In Nginx regex locations, matched pattern between parentheses (.) are assigned variable from $1 to $9, which can be used later in location block. In this case Nginx stores part of URL that matches (.*)$ in $1. In the response body it just replaces $1(appeared in return statement) with the matched part.
As long as security risk is concerned, as default type is text/plain it shouldn't be interpreted as html. If you have followed official guide from Certbot, there is no need to panic. There are other ways to configure Certbot which can keep security scanners happy too, like simply putting text file in acme-challenge directory.

Tejas Sarade
  • 211
  • 1
  • 5
  • Well thanks of explanation, but I know how this regex thing work. I am using VestaCP that does it automatically using this method and I am not sure if I can configure it there, but none the less my concern is if it can be used in website in current situation for hacking my site code. – Sumit Gupta Jun 25 '18 at 05:15