Mercurial > hg > nginx
comparison src/http/ngx_http_request.c @ 5094:e0a3714a36f8
SNI: reset to default server if requested host was not found.
Not only this is consistent with a case without SNI, but this also
prevents abusing configurations that assume that the $host variable
is limited to one of the configured names for a server.
An example of potentially unsafe configuration:
server {
listen 443 ssl default_server;
...
}
server {
listen 443;
server_name example.com;
location / {
proxy_pass http://$host;
}
}
Note: it is possible to negotiate "example.com" by SNI, and to request
arbitrary host name that does not exist in the configuration above.
| author | Valentin Bartenev <vbart@nginx.com> |
|---|---|
| date | Wed, 27 Feb 2013 17:38:54 +0000 |
| parents | 68ca3e824115 |
| children | 4fbef397c753 |
comparison
equal
deleted
inserted
replaced
| 5093:68ca3e824115 | 5094:e0a3714a36f8 |
|---|---|
| 1867 if (rc == NGX_ERROR) { | 1867 if (rc == NGX_ERROR) { |
| 1868 ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); | 1868 ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); |
| 1869 return NGX_ERROR; | 1869 return NGX_ERROR; |
| 1870 } | 1870 } |
| 1871 | 1871 |
| 1872 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME | |
| 1873 | |
| 1874 if (hc->ssl_servername) { | |
| 1875 if (rc == NGX_DECLINED) { | |
| 1876 cscf = hc->addr_conf->default_server; | |
| 1877 rc = NGX_OK; | |
| 1878 } | |
| 1879 } | |
| 1880 | |
| 1881 #endif | |
| 1882 | |
| 1872 if (rc == NGX_DECLINED) { | 1883 if (rc == NGX_DECLINED) { |
| 1873 return NGX_OK; | 1884 return NGX_OK; |
| 1874 } | 1885 } |
| 1875 | 1886 |
| 1876 r->srv_conf = cscf->ctx->srv_conf; | 1887 r->srv_conf = cscf->ctx->srv_conf; |