Mercurial > hg > nginx-quic
view auto/cc/ccc @ 5094:e0a3714a36f8
SNI: reset to default server if requested host was not found.
Not only this is consistent with a case without SNI, but this also
prevents abusing configurations that assume that the $host variable
is limited to one of the configured names for a server.
An example of potentially unsafe configuration:
server {
listen 443 ssl default_server;
...
}
server {
listen 443;
server_name example.com;
location / {
proxy_pass http://$host;
}
}
Note: it is possible to negotiate "example.com" by SNI, and to request
arbitrary host name that does not exist in the configuration above.
author | Valentin Bartenev <vbart@nginx.com> |
---|---|
date | Wed, 27 Feb 2013 17:38:54 +0000 |
parents | d620f497c50f |
children |
line wrap: on
line source
# Copyright (C) Igor Sysoev # Copyright (C) Nginx, Inc. # Compaq C V6.5-207 ngx_include_opt="-I" # warnings CFLAGS="$CFLAGS -msg_enable level6 -msg_fatal level6" CFLAGS="$CFLAGS -msg_disable unknownmacro" CFLAGS="$CFLAGS -msg_disable unusedincl" CFLAGS="$CFLAGS -msg_disable unnecincl" CFLAGS="$CFLAGS -msg_disable nestincl" CFLAGS="$CFLAGS -msg_disable strctpadding" CFLAGS="$CFLAGS -msg_disable ansialiascast" CFLAGS="$CFLAGS -msg_disable inlinestoclsmod" CFLAGS="$CFLAGS -msg_disable cxxkeyword" CFLAGS="$CFLAGS -msg_disable longlongsufx" CFLAGS="$CFLAGS -msg_disable valuepres" # STUB CFLAGS="$CFLAGS -msg_disable truncintcast" CFLAGS="$CFLAGS -msg_disable trunclongcast" CFLAGS="$CFLAGS -msg_disable truncintasn" CFLAGS="$CFLAGS -msg_disable trunclongint" CFLAGS="$CFLAGS -msg_disable intconcastsgn" CFLAGS="$CFLAGS -msg_disable intconstsign" CFLAGS="$CFLAGS -msg_disable switchlong" CFLAGS="$CFLAGS -msg_disable subscrbounds2" CFLAGS="$CFLAGS -msg_disable hexoctunsign" CFLAGS="$CFLAGS -msg_disable ignorecallval" CFLAGS="$CFLAGS -msg_disable nonstandcast" CFLAGS="$CFLAGS -msg_disable embedcomment" CFLAGS="$CFLAGS -msg_disable unreachcode" CFLAGS="$CFLAGS -msg_disable questcompare2" CFLAGS="$CFLAGS -msg_disable unusedtop" CFLAGS="$CFLAGS -msg_disable unrefdecl" CFLAGS="$CFLAGS -msg_disable bitnotint"