I took the opposite approach. You put a funny character in the URL, you get a 444. I only allow underscore and hypen.
For a while, I was getting fuzzed. Maybe a year ago it was a thing. Nothing bad happened, which I would say is a tribute to Nginx. I just returned 404s, but I figured I better trap this behavior before my luck runs out. Original Message From: c0nw0nk Sent: Friday, July 14, 2017 12:58 PM To: [email protected] Reply To: [email protected] Subject: Nginx allowed characters inside full URL / URI and ARGS So I have been using Lua to iron out a few dilemmas and problems lately. Does anyone know what characters Nginx accepts inside URL's I am achieving a higher cache HIT ratio by modifying the URL's with Lua but it also helps in preventing unwanted forms of DoS. Here is my code : local function fix_url(str) return str:gsub("[+/=]", {["+"] = "+", ["/"] = "/", ["="] = "="}) --Needs some regex to remove multiple occurances of characters end ngx.var.modified_url = fix_url(ngx.var.request_uri) --Remove UN-wanted duplicated characters that users are trying to bypass cache with. ngx.var.modified_url = string.lower(ngx.var.modified_url) --make all lowercase to further increase cache HIT ratio Now what I need to do is to introduce some regex to my gsub string in order to remove multiple occurrences of those characters. Example : Good Link : /index.php?page=about Bad Link : ///InDex.PhP????PaGe===AboUt You will notice that the good link is very friendly where as the Bad Link will have the same contents served as the good link but is incredibly dynamic and bypasses the cache each time. (What is how people are launching their DoS attacks) Any help on this little project would be fantastic :) Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275500,275500#msg-275500 _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
