Mercurial > hg > nginx-quic
annotate conf/fastcgi_params @ 5095:4fbef397c753
SNI: added restriction on requesting host other than negotiated.
According to RFC 6066, client is not supposed to request a different server
name at the application layer. Server implementations that rely upon these
names being equal must validate that a client did not send a different name
in HTTP request. Current versions of Apache HTTP server always return 400
"Bad Request" in such cases.
There exist implementations however (e.g., SPDY) that rely on being able to
request different host names in one connection. Given this, we only reject
requests with differing host names if verification of client certificates
is enabled in a corresponding server configuration.
An example of configuration that might not work as expected:
server {
listen 433 ssl default;
return 404;
}
server {
listen 433 ssl;
server_name example.org;
ssl_client_certificate org.cert;
ssl_verify_client on;
}
server {
listen 433 ssl;
server_name example.com;
ssl_client_certificate com.cert;
ssl_verify_client on;
}
Previously, a client was able to request example.com by presenting
a certificate for example.org, and vice versa.
author | Valentin Bartenev <vbart@nginx.com> |
---|---|
date | Wed, 27 Feb 2013 17:41:34 +0000 |
parents | 352a7b025f2e |
children | 62869a9b2e7d |
rev | line source |
---|---|
537 | 1 |
2 fastcgi_param QUERY_STRING $query_string; | |
3 fastcgi_param REQUEST_METHOD $request_method; | |
4 fastcgi_param CONTENT_TYPE $content_type; | |
5 fastcgi_param CONTENT_LENGTH $content_length; | |
6 | |
7 fastcgi_param SCRIPT_NAME $fastcgi_script_name; | |
8 fastcgi_param REQUEST_URI $request_uri; | |
9 fastcgi_param DOCUMENT_URI $document_uri; | |
10 fastcgi_param DOCUMENT_ROOT $document_root; | |
11 fastcgi_param SERVER_PROTOCOL $server_protocol; | |
4333
352a7b025f2e
Added HTTPS param with Apache-like behaviour to fastcgi/scgi/uwsgi_params (fixes #38).
Valentin Bartenev <vbart@nginx.com>
parents:
1330
diff
changeset
|
12 fastcgi_param HTTPS $https if_not_empty; |
537 | 13 |
14 fastcgi_param GATEWAY_INTERFACE CGI/1.1; | |
1330 | 15 fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; |
537 | 16 |
17 fastcgi_param REMOTE_ADDR $remote_addr; | |
18 fastcgi_param REMOTE_PORT $remote_port; | |
19 fastcgi_param SERVER_ADDR $server_addr; | |
20 fastcgi_param SERVER_PORT $server_port; | |
21 fastcgi_param SERVER_NAME $server_name; | |
22 | |
23 # PHP only, required if PHP was built with --enable-force-cgi-redirect | |
24 fastcgi_param REDIRECT_STATUS 200; |