Linux User Group of Mauritius Promoting open source software in our beautiful island

24Dec/150

Find user IP address with Cloudflare & Nginx

Posted by Ish

A content delivery network (CDN) is a distributed network of servers that delivers content, typically webpages, to users based on their geographic location. A CDN would serve you from a less distant location on the network.

CloudFlare provides such a CDN service. A friend recommended me to use CloudFlare around a year or so, and I do not regret accepting.

Find user IP address with Cloudflare & Nginx

CloudFlare Global Network, Source: cloudflare.com

I noticed considerable performance gain when I switched to CloudFlare.

PING hacklog.mu (104.28.11.229) 56(84) bytes of data.
64 bytes from 104.28.11.229: icmp_seq=1 ttl=51 time=114 ms
64 bytes from 104.28.11.229: icmp_seq=2 ttl=51 time=115 ms
64 bytes from 104.28.11.229: icmp_seq=3 ttl=51 time=113 ms
64 bytes from 104.28.11.229: icmp_seq=4 ttl=51 time=113 ms
64 bytes from 104.28.11.229: icmp_seq=5 ttl=51 time=114 ms

--- hacklog.mu ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 113.856/114.509/115.854/0.847 ms

CloudFlare bundles other features, among which the Firewall allows you to set rules for rogue visitors.

Get the user’s IP address with Nginx

CloudFlare proxies requests to your webserver and as such, your webserver log would record CloudFlare’s IP addresses. In order to obtain the user’s IP address in a request, you would need to activate the True-Client-IP Header from CloudFlare’s administration panel. However, that requires an Enterprise plan. It is not available in the free service.

There is one workaround using the ngx_http_realip_module in Nginx. It allows a change of the client address to one that is specified in the header field. CloudFlare specifies the same in the CF-Connecting-IP field. The technical story can be summed up as follows in the http context of Nginx:

http {

    set_real_ip_from 103.21.244.0/22;
    set_real_ip_from 103.22.200.0/22;
    set_real_ip_from 103.31.4.0/22;
    set_real_ip_from 104.16.0.0/12;
    set_real_ip_from 108.162.192.0/18;
    set_real_ip_from 141.101.64.0/18;
    set_real_ip_from 162.158.0.0/15;
    set_real_ip_from 172.64.0.0/13;
    set_real_ip_from 173.245.48.0/20;
    set_real_ip_from 188.114.96.0/20;
    set_real_ip_from 190.93.240.0/20;
    set_real_ip_from 197.234.240.0/22;
    set_real_ip_from 198.41.128.0/17;
    set_real_ip_from 199.27.128.0/21;
    real_ip_header   CF-Connecting-IP;

    ...
}

The IP addresses specified are those of CloudFlare and they can be obtained here. I suggest checking the page from time to time for updates or you might even monitor changes on the page (^^,) …


Ubuntu & openSUSE come bundled with ngx_http_realip_module. If Nginx is complaining about an unknown directive in your distribution, then you most likely need to compile Nginx with the --with-http_realip_module parameter.

The post Find user IP address with Cloudflare & Nginx appeared first on HACKLOG.

Tagged as: No Comments
18Nov/150

An interesting nginx vulnerability

Posted by logan

What is nginx

Nginx is a web server, similar to Apache. It was designed much later than Apache, and is faster. Due to its speed, it's often used in combination with Apache, or as a replacement for Apache. The marketshare of nginx has increased during the recent years. so, when you navigate to http://www.hackers.mu/, your request is taken care by the HTTP server. I use Apache for logan.hackers.mu. I could also have used nginx.

Security vulnerability

A security vulnerability is a coding error that allows an attacker to take advantage of the flaw to get some form of control over the server. Nginx has its fair share of vulnerabilities. I'm going to talk about a particular vulnerability: CVE-2013-2028.

CVE-2013-2028

A stack based overflow is usually one of the easiest type of overflow that can be used to remotely take control of a server. CVE-2013-2028 is one such vulnerability. In the HTTP format, there's a field known as the HTTP header. One of the options that can be used for this header is the transfer-encoding chunk mechanism. In this particular case, this field was supposed to contain up to a maximum size. What happens if you go beyond ? Well, it overflows . As the original nginx code contained no way to handle this particular case, an attacker can leverage this to his advantage. He can put a large chunk size, and inject other code that you grant his a remote access to the server. The server can then be controlled remotely. You can change the contents of the website for example, or use the server to attack other servers on the Internet.

If you would like to have additional details, please let me know :)

Filed under: Nginx No Comments
18Sep/150

Nginx virtual host configuration

Posted by Ish

What is Nginx?

Nginx (pronounced engine-x) is a reverse proxy which gained popularity in the recent years. A lot of people, including me, use Nginx as a web server thanks to its event based multi-protocol support. Nginx supports HTTP and that is what we need to run it as a web server. The strong point of Nginx compared to traditional web servers is that each spawned process of Nginx can handle thousands of concurrent connections. Nginx does not embed programming languages within its own process, therefore all dynamic handling (such as PHP) is done through a backend server. PHP-FPM works great as a backend server to handle PHP scripts.

Nginx configuration

Nginx virtual host configurationBefore we dive into the Nginx virtual host configuration, we might need to grasp a little bit of the basics. The Nginx configuration can be classified in two parts; the directives and the contexts. A directive is an identifier that can accept one or several configuration options. A context on the other hand is a section which may contain several directives. The word “context” is mostly used in the Nginx documentation rather than “section”.

A directive would be as follows:

worker_connections 768;

A context would be like:

events {
    worker_connections 768;
    # multi_accept on;
}

A context may contain one or several directives within curly brackets {}. Directives can be disabled by commenting them with the # symbol.

To define a virtual host in Nginx we create a “server” context. This context will handle configuration directives like the hostname, the root directory etc. A basic virtual host in Nginx looks as follows:

server {
    listen 80;
    server_name mysite.com;
    
    root /var/www/mysite;
    index index.html;
}

The configuration tells Nginx to listen to port 80, handle requests for “mysite.com” and serve contents from the /var/www/mysite directory. The index directive tells Nginx to set “index.html” as the default file to serve.

Backend interaction

There is a sub-context called “location” within the server block. The location context handles URI matching. It tells Nginx what to do when a particular URI is sent by the client. Backend communication happens by sending the request to the backend server once the URI matching is completed and conditions are met. The server context may have server location sub-contexts; as we in the example below:

server {
    listen 80;
    server_name mysite.com;
    
    root /var/www/mysite;
    index index.html;

    location / {
        try_files $uri $uri/ /index.php;
    }

    location ~ .php$ {
        include fastcgi.conf;
        fastcgi_pass 127.0.0.1:9000;
    }
}

If a URI ends with .php the request is sent to the PHP5-FPM backend server. If a URI does not end with .php the location / is used. Nginx tries to search a file that matches the URI; if that fails, it tries to find a directory of that name and serves the index file. If both fail, the request is redirected internally to /index.php and the request is handled by the backend server.

The post Nginx virtual host configuration appeared first on HACKLOG.

Tagged as: No Comments