mirror of https://github.com/searxng/searxng.git
Fix security vulnerabilities in suggested nginx configuration
The suggested configurations for nginx found in the documentation and templates lead to vulnerabilities allowing host spoofing [1] and path traversal [2], as reported by Gixy [3]. This commit fixes those issues. [1] https://github.com/yandex/gixy/blob/master/docs/en/plugins/hostspoofing.md [2] https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md [3] https://github.com/yandex/gixy
This commit is contained in:
parent
c748fc66cf
commit
6b59800dc6
|
@ -173,7 +173,7 @@ Use it along with ``nginx`` with the following example configuration.
|
||||||
location /searx {
|
location /searx {
|
||||||
proxy_pass http://127.0.0.1:4004/;
|
proxy_pass http://127.0.0.1:4004/;
|
||||||
|
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header Connection $http_connection;
|
proxy_set_header Connection $http_connection;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
|
|
@ -182,7 +182,7 @@ Started wiki`_ is always a good resource *to keep in the pocket*.
|
||||||
location /searx {
|
location /searx {
|
||||||
proxy_pass http://127.0.0.1:4004/;
|
proxy_pass http://127.0.0.1:4004/;
|
||||||
|
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header Connection $http_connection;
|
proxy_set_header Connection $http_connection;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
@ -190,8 +190,8 @@ Started wiki`_ is always a good resource *to keep in the pocket*.
|
||||||
proxy_set_header X-Script-Name /searx;
|
proxy_set_header X-Script-Name /searx;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /searx/static {
|
location /searx/static/ {
|
||||||
alias /usr/local/searx/searx-src/searx/static;
|
alias /usr/local/searx/searx-src/searx/static/;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -205,7 +205,7 @@ Started wiki`_ is always a good resource *to keep in the pocket*.
|
||||||
location /morty {
|
location /morty {
|
||||||
proxy_pass http://127.0.0.1:3000/;
|
proxy_pass http://127.0.0.1:3000/;
|
||||||
|
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header Connection $http_connection;
|
proxy_set_header Connection $http_connection;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
@ -309,8 +309,8 @@ Started wiki`_ is always a good resource *to keep in the pocket*.
|
||||||
proxy_buffering off;
|
proxy_buffering off;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /searx/static {
|
location /searx/static/ {
|
||||||
alias /usr/local/searx/searx-src/searx/static;
|
alias /usr/local/searx/searx-src/searx/static/;
|
||||||
}
|
}
|
||||||
|
|
||||||
The ``X-Script-Name /searx`` is needed by the searx implementation to
|
The ``X-Script-Name /searx`` is needed by the searx implementation to
|
||||||
|
@ -328,8 +328,8 @@ Started wiki`_ is always a good resource *to keep in the pocket*.
|
||||||
uwsgi_pass unix:/run/uwsgi/app/searx/socket;
|
uwsgi_pass unix:/run/uwsgi/app/searx/socket;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /searx/static {
|
location /searx/static/ {
|
||||||
alias /usr/local/searx/searx-src/searx;
|
alias /usr/local/searx/searx-src/searx/;
|
||||||
}
|
}
|
||||||
|
|
||||||
For searx to work correctly the ``base_url`` must be set in the
|
For searx to work correctly the ``base_url`` must be set in the
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
location ${SEARX_URL_PATH} {
|
location ${SEARX_URL_PATH} {
|
||||||
proxy_pass http://127.0.0.1:4004/;
|
proxy_pass http://127.0.0.1:4004/;
|
||||||
|
|
||||||
proxy_set_header Host \$http_host;
|
proxy_set_header Host \$host;
|
||||||
proxy_set_header Connection \$http_connection;
|
proxy_set_header Connection \$http_connection;
|
||||||
proxy_set_header X-Real-IP \$remote_addr;
|
proxy_set_header X-Real-IP \$remote_addr;
|
||||||
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
||||||
|
@ -11,6 +11,6 @@ location ${SEARX_URL_PATH} {
|
||||||
proxy_set_header X-Script-Name ${SEARX_URL_PATH};
|
proxy_set_header X-Script-Name ${SEARX_URL_PATH};
|
||||||
}
|
}
|
||||||
|
|
||||||
location ${SEARX_URL_PATH}/static {
|
location ${SEARX_URL_PATH}/static/ {
|
||||||
alias ${SEARX_SRC}/searx/static;
|
alias ${SEARX_SRC}/searx/static/;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue