Ingnoring any and all url parameters to harden security. How?

suchislife

12/28/22, 1:42 PM

Anyone who puts an NGINX server online and looks at its access.log a week latter will find lots of URL exploits being attempted. Every day, any time.

So what if, I was to reject any and all url parameters. What if every query string was masked with an NGINX rewrite which would fail to match anything not defined as a rewrite naturally returning a 404 Not Found?

Or a series of rewrites in order placed inside this always present location block?

location / {
  rewrite "^/api/v1/users/?$" /api/v1/Users.php last;
  rewrite "^/api/v1/users/(all|active|inactive)?$" /api/v1/Users.php?status=$1 last;
  rewrite "^/api/v1/users/(\d+)/?$" /api/v1/Users.php?userId=$1 last;
}

# URL Match examples...

http://localhost/api/v1/users
http://localhost/api/v1/users/

http://localhost/api/v1/users/all
http://localhost/api/v1/users/active
http://localhost/api/v1/users/inactive

http://localhost/api/v1/users/2001
http://localhost/api/v1/users/2002
http://localhost/api/v1/users/2003

Is there a way to direct NGINX to ignore URL parameters? Feel free to let me know if this is a naive question. Perhaps I'm asking the wrong question.

1 + 0

nginx

Score:1

Server

digijay

12/28/22, 2:55 PM

Rather use return instead of rewrite because "rewrite directive can return only code 301 or 302". For this, create a location with a regular expression to catch the specific request uri.

And if you just want to drop all of these requests return a http status 444.

Example:

server {
    # ...
    location ~* ^/api/v1/users/.*$ {
        return  444;
    }
}

0 + 4

suchislife

12/28/22, 3:11 PM

Can you add an example location that is passing parameters like in my `rewrite` examples? I just never been able to convert it.

digijay

12/28/22, 3:21 PM

This regular expression should match all your examples, or did I miss something?

suchislife

12/28/22, 3:24 PM

Yeah. You provided an example that blocks. I needed to see an example that serves coexisting with your example. The other rewrites turned into location blocks.

digijay

12/28/22, 4:35 PM

I think that when you want to assign back references to different parameters in a rediect then "series of rewrites" is the only viable way. I'm still not sure if I understood what exactly you're trying to achieve, sorry.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Ingnoring any and all url parameters to harden security. How?

TH: ละเว้นพารามิเตอร์ URL ใด ๆ และทั้งหมดเพื่อเพิ่มความปลอดภัย ยังไง?

RO: Ignorarea tuturor parametrilor URL pentru a consolida securitatea. Cum?

RU: Игнорирование любых и всех параметров URL для усиления безопасности. Как?

VI: Bỏ qua bất kỳ và tất cả các tham số url để tăng cường bảo mật. Thế nào?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.