This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "SCG WS nginx"
Line 32: | Line 32: | ||
</pre> | </pre> | ||
+ | == Secure Configuration == | ||
+ | === Buffer Overflow Protection === | ||
+ | |||
+ | <pre> | ||
+ | ## Size Limits & Buffer Overflows ## | ||
+ | ## the size below needs testing with subject to the real needs | ||
+ | client_body_buffer_size 1K; | ||
+ | client_header_buffer_size 1k; | ||
+ | client_max_body_size 1k; | ||
+ | large_client_header_buffers 2 1k; | ||
+ | |||
+ | ## END ## | ||
+ | </pre> | ||
+ | |||
+ | Refer to [http://nginx.org/en/docs/http/ngx_http_core_module.html] | ||
+ | |||
+ | |||
+ | === Mitigating Slow HTTP DoS Attack=== | ||
+ | <pre> | ||
+ | ## Timeouts definition ## | ||
+ | client_body_timeout 10; | ||
+ | client_header_timeout 10; | ||
+ | keepalive_timeout 5 5; | ||
+ | send_timeout 10; | ||
+ | ## End ## | ||
+ | </pre> | ||
+ | * client_body_timeout: Defines a timeout for reading client request body. The timeout is set only for a period between two successive read operations, not for the transmission of the whole request body. If a client does not transmit anything within this time, the 408 (Request Time-out) error is returned to the client. | ||
+ | * client_header_timeout: Defines a timeout for reading client request header. If a client does not transmit the entire header within this time, the 408 (Request Time-out) error is returned to the client. | ||
+ | * keepalive_timeout: The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The optional second parameter sets a value in the “Keep-Alive: timeout=time” response header field. Two parameters may differ. | ||
+ | The “Keep-Alive: timeout=time” header field is recognized by Mozilla and Konqueror. MSIE closes keep-alive connections by itself in about 60 seconds. | ||
+ | * send_timeout: Sets a timeout for transmitting a response to the client. The timeout is set only between two successive write operations, not for the transmission of the whole response. If the client does not receive anything within this time, the connection is closed. | ||
+ | |||
+ | === Allow Access To Specified Domain Only === | ||
+ | |||
+ | <pre> | ||
+ | ## i.e. abc.com, images.abc.com and www.abc.com | ||
+ | if ($host !~ ^(abc.com|www.abc.com|images.abc.com)$ ) { | ||
+ | return 444; | ||
+ | } | ||
+ | ## | ||
+ | </pre> | ||
+ | |||
+ | === Limit IP clients access === | ||
+ | Limit specific folder to certain source IP clients only. | ||
+ | |||
+ | <pre> | ||
+ | ## the docs folder is only allowed specific IP range in 192.168.1.0/24 | ||
+ | |||
+ | location /docs/ { | ||
+ | ## block one workstation | ||
+ | deny 192.168.1.1; | ||
+ | ## allow anyone in 192.168.1.0/24 | ||
+ | allow 192.168.1.0/24; | ||
+ | ## drop rest of the world | ||
+ | deny all; | ||
+ | } | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | |||
+ | === Limit HTTP Method === | ||
+ | |||
+ | <pre> | ||
+ | |||
+ | ## Only GET, Post, PUT are allowed## | ||
+ | if ($request_method !~ ^(GET|PUT|POST)$ ) { | ||
+ | return 444; | ||
+ | } | ||
+ | ## Do not accept HEAD, DELETE, SEARCH and other methods ## | ||
+ | |||
+ | </pre> | ||
== References == | == References == |
Revision as of 13:19, 21 April 2016
This article is part of the OWASP Secure Configuration Guide.
Back to the OWASP Secure Configuration Guide ToC: https://www.owasp.org/index.php/Secure_Configuration_Guide Back to the OWASP Secure Configuration Guide Project: https://www.owasp.org/index.php/OWASP_Secure_Configuration_Guide
NEEDS TO BE REVIEWED, SEE REFERENCES BELOW FOR A GOOD MATERIAL!
Summary
A detailed description of the product (can be taken from the official website)
Common Misconfigurations
Misconfiguration 1
Description
%ProductName% allows unauthorized attacker to list all users of the system ...
// Detailed description of the impact. Is it enabled by default? Vulnerable versions.
How to test
In order to test for %Misconfiguration_1%, one should ...
// Proof-of-concept here. Please include the screenshots and widely known tools/scanners!
Remediation
Initial/common value of parameter "listUsers" from config.xml is set to "true".
To assess the vulnerability it is enough to change the value to false:
<security> <listUsers>false</listUsers> </security>
Secure Configuration
Buffer Overflow Protection
## Size Limits & Buffer Overflows ## ## the size below needs testing with subject to the real needs client_body_buffer_size 1K; client_header_buffer_size 1k; client_max_body_size 1k; large_client_header_buffers 2 1k; ## END ##
Refer to [1]
Mitigating Slow HTTP DoS Attack
## Timeouts definition ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 5 5; send_timeout 10; ## End ##
- client_body_timeout: Defines a timeout for reading client request body. The timeout is set only for a period between two successive read operations, not for the transmission of the whole request body. If a client does not transmit anything within this time, the 408 (Request Time-out) error is returned to the client.
- client_header_timeout: Defines a timeout for reading client request header. If a client does not transmit the entire header within this time, the 408 (Request Time-out) error is returned to the client.
- keepalive_timeout: The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The optional second parameter sets a value in the “Keep-Alive: timeout=time” response header field. Two parameters may differ.
The “Keep-Alive: timeout=time” header field is recognized by Mozilla and Konqueror. MSIE closes keep-alive connections by itself in about 60 seconds.
- send_timeout: Sets a timeout for transmitting a response to the client. The timeout is set only between two successive write operations, not for the transmission of the whole response. If the client does not receive anything within this time, the connection is closed.
Allow Access To Specified Domain Only
## i.e. abc.com, images.abc.com and www.abc.com if ($host !~ ^(abc.com|www.abc.com|images.abc.com)$ ) { return 444; } ##
Limit IP clients access
Limit specific folder to certain source IP clients only.
## the docs folder is only allowed specific IP range in 192.168.1.0/24 location /docs/ { ## block one workstation deny 192.168.1.1; ## allow anyone in 192.168.1.0/24 allow 192.168.1.0/24; ## drop rest of the world deny all; }
Limit HTTP Method
## Only GET, Post, PUT are allowed## if ($request_method !~ ^(GET|PUT|POST)$ ) { return 444; } ## Do not accept HEAD, DELETE, SEARCH and other methods ##
References
http://ngx.readthedocs.org/en/latest/topics/tutorials/config_pitfalls.html