Icycoide/searxng
1
0
Fork 1
mirror of https://github.com/searxng/searxng.git synced 2025-07-31 00:52:22 +02:00
Code Issues Projects Releases Packages Wiki Activity

Fix security vulnerabilities in suggested nginx configuration

Browse source 
The suggested configurations for nginx found in the documentation and
templates lead to vulnerabilities allowing host spoofing [1] and path
traversal [2], as reported by Gixy [3]. This commit fixes those issues.

[1] https://github.com/yandex/gixy/blob/master/docs/en/plugins/hostspoofing.md
[2] https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md
[3] https://github.com/yandex/gixy
This commit is contained in:
Alex Balgavy 2021-03-03 12:21:06 +01:00
parent c748fc66cf
commit 6b59800dc6
3 changed files with 12 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

6
utils/templates/etc/nginx/default.apps-available/searx.conf:filtron
View file

@ -3,7 +3,7 @@
location ${SEARX_URL_PATH} {
proxy_pass http://127.0.0.1:4004/;
proxy_set_header Host \$http_host;
proxy_set_header Host \$host;
proxy_set_header Connection \$http_connection;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
@ -11,6 +11,6 @@ location ${SEARX_URL_PATH} {
proxy_set_header X-Script-Name ${SEARX_URL_PATH};
}
location ${SEARX_URL_PATH}/static {
alias ${SEARX_SRC}/searx/static;
location ${SEARX_URL_PATH}/static/ {
alias ${SEARX_SRC}/searx/static/;
}