Mercurial > hg > nginx
view auto/summary @ 5095:4fbef397c753
SNI: added restriction on requesting host other than negotiated.
According to RFC 6066, client is not supposed to request a different server
name at the application layer. Server implementations that rely upon these
names being equal must validate that a client did not send a different name
in HTTP request. Current versions of Apache HTTP server always return 400
"Bad Request" in such cases.
There exist implementations however (e.g., SPDY) that rely on being able to
request different host names in one connection. Given this, we only reject
requests with differing host names if verification of client certificates
is enabled in a corresponding server configuration.
An example of configuration that might not work as expected:
server {
listen 433 ssl default;
return 404;
}
server {
listen 433 ssl;
server_name example.org;
ssl_client_certificate org.cert;
ssl_verify_client on;
}
server {
listen 433 ssl;
server_name example.com;
ssl_client_certificate com.cert;
ssl_verify_client on;
}
Previously, a client was able to request example.com by presenting
a certificate for example.org, and vice versa.
| author | Valentin Bartenev <vbart@nginx.com> |
|---|---|
| date | Wed, 27 Feb 2013 17:41:34 +0000 |
| parents | d620f497c50f |
| children | 83d54192e97b |
line wrap: on
line source
# Copyright (C) Igor Sysoev # Copyright (C) Nginx, Inc. ### STUB if [ $USE_THREADS != NO ]; then cat << END $0: error: the threads support is broken now. END exit 1 fi ### echo echo "Configuration summary" #case $USE_THREADS in # rfork) echo " + using rfork()ed threads" ;; # pthreads) echo " + using libpthread threads library" ;; # libthr) echo " + using FreeBSD libthr threads library" ;; # libc_r) echo " + using FreeBSD libc_r threads library" ;; # linuxthreads) echo " + using FreeBSD LinuxThreads port library" ;; # NO) echo " + threads are not used" ;; # *) echo " + using lib$USE_THREADS threads library" ;; #esac if [ $USE_PCRE = DISABLED ]; then echo " + PCRE library is disabled" else case $PCRE in YES) echo " + using system PCRE library" ;; NONE) echo " + PCRE library is not used" ;; *) echo " + using PCRE library: $PCRE" ;; esac fi case $OPENSSL in YES) echo " + using system OpenSSL library" ;; NONE) echo " + OpenSSL library is not used" ;; *) echo " + using OpenSSL library: $OPENSSL" ;; esac case $MD5 in YES) echo " + md5: using $MD5_LIB library" ;; NONE) echo " + md5 library is not used" ;; NO) echo " + using builtin md5 code" ;; *) echo " + using md5 library: $MD5" ;; esac case $SHA1 in YES) echo " + sha1: using $SHA1_LIB library" ;; NONE) echo " + sha1 library is not used" ;; NO) echo " + sha1 library is not found" ;; *) echo " + using sha1 library: $SHA1" ;; esac case $ZLIB in YES) echo " + using system zlib library" ;; NONE) echo " + zlib library is not used" ;; *) echo " + using zlib library: $ZLIB" ;; esac case $NGX_LIBATOMIC in YES) echo " + using system libatomic_ops library" ;; NO) ;; # not used *) echo " + using libatomic_ops library: $NGX_LIBATOMIC" ;; esac echo cat << END nginx path prefix: "$NGX_PREFIX" nginx binary file: "$NGX_SBIN_PATH" nginx configuration prefix: "$NGX_CONF_PREFIX" nginx configuration file: "$NGX_CONF_PATH" nginx pid file: "$NGX_PID_PATH" END if test -n "$NGX_ERROR_LOG_PATH"; then echo " nginx error log file: \"$NGX_ERROR_LOG_PATH\"" else echo " nginx logs errors to stderr" fi cat << END nginx http access log file: "$NGX_HTTP_LOG_PATH" nginx http client request body temporary files: "$NGX_HTTP_CLIENT_TEMP_PATH" END if [ $HTTP_PROXY = YES ]; then echo " nginx http proxy temporary files: \"$NGX_HTTP_PROXY_TEMP_PATH\"" fi if [ $HTTP_FASTCGI = YES ]; then echo " nginx http fastcgi temporary files: \"$NGX_HTTP_FASTCGI_TEMP_PATH\"" fi if [ $HTTP_UWSGI = YES ]; then echo " nginx http uwsgi temporary files: \"$NGX_HTTP_UWSGI_TEMP_PATH\"" fi if [ $HTTP_SCGI = YES ]; then echo " nginx http scgi temporary files: \"$NGX_HTTP_SCGI_TEMP_PATH\"" fi echo "$NGX_POST_CONF_MSG"