Developers: | Nginx |
Date of the premiere of the system: | 2004/10/04 |
Last Release Date: | 2023/08/16 |
Technology: | Server platforms |
Content |
nginx - web server and mail proxy server. Focused on Unix-like operating systems.
2023
nginx 1.25.2 with elimination of error in implementation HTTP/3
The release of the main branch of nginx 1.25.2 has been formed, within the framework of which the development of additional opportunities continues. In the parallel supported stable branch 1.24.x, only changes are made related to the elimination of serious errors and. In vulnerabilities the future, on the basis of the main branch 1.25.x, a stable branch 1.26 will be formed. The project code is written in the language Xi and distributed under the BSD license. This became known on August 16, 2023.
Among the changes:
- With/3, the maximum HTTP size definition is implemented, information which, when exchanged data with a given host, can be transmitted in a packet without fragmentation (Path MTU Discovery).
- When using the HTTP/3, it is possible to use a set of TLS_AES_128_CCM_SHA256 ciphers.
- When loading the OpenSSL configuration, the use of "nginx" as the application name (appname parameter) is ensured.
- Attempts to load the OpenSSL configuration were stopped if nginx is assembled with the --with-openssl option, but the OPENSSL_CONF environment variable is not set.
- When using HTTP/3, the $ body_bytes_sent variable is set.
- Fixed implementation errors HTTP/3[1].
Vulnerability of a number of servers due to an error in the configuration of nginx
On July 5, 2023, it became known that some servers with nginx remain vulnerable to Nginx Alias Traversal technology, which allows you to access files and directories located outside the root directory specified in the "alias" directive. The problem manifests itself only in configurations with the "alias" directive located inside the "location" block, the parameter of which does not end with the "/" character, while "alias" ends with the "/. "
The essence of the problem is that files for blocks with the alias directive are given through attaching the requested path, after matching it with a mask from the location directive and cutting out the part of the path specified in this mask. For the example of a vulnerable configuration shown above, an attacker can request the file "/img../test.txt "and this request will fall under the "/img" mask specified in the location, after which the remaining tail.. "/test.txt "will be attached to the path from the alias directive "/var/images/" and eventually the file "/var/images/../test.txt" will be requested. Thus, attackers can access any files in the "/var "directory, and not only files in "/var/images/," for example, to load the nginx log, you can send a request "/img../log/nginx/access.log. "
In configurations in which the value of the alias directive does not end with the "/" character (for example, "alias/var/images;"), an attacker cannot go to the parent directory, but has the ability to query another directory in/var, the beginning of the name of which is the same as specified in the configuration. For example, by querying "/img.old/test.txt, "you can access the directory" var/images.old/test.txt. "
An analysis of repositories on GitHub showed that errors leading to the problem in configuring nginx are still found in real projects. For example, the presence of a problem was identified in the server side of the Bitwarden password manager and could be used to access all files in the/etc/bitwarden directory (requests/attachments were given from/etc/bitwarden/attachments/), including those stored there with " DB passwords vault.db," certificate and logs, for which it was enough to send requests "/attachments../vault.db, ""/attachments../identity.pfx," "/attachments i.g/logs.. "
The method also worked Google with the HPC Toolkit, in which/static requests were redirected to the "../hPC-toolkit/community/front-end/website/static/" directory. To obtain a database with a private key and accounts data , an attacker could send requests "/static../.secret_key" and "/static../db.sqlite3 "[2]
Nginx 1.25.1 with "http2" directive
The release of the main branch of nginx 1.25.1 has been formed, within the framework of which the development of opportunities continues. In the parallel supported stable branch 1.24.x, only changes are made related to the elimination of serious errors and vulnerabilities. In the future, on the basis of the main branch 1.25.x, a stable branch 1.26 will be formed. This became known on June 13, 2023.
Among the changes:
- A separate directive http2"" has been added to selectively enable the HTTP/2 protocol in binding to servers to (can be used in separate "server" blocks). The parameter "http2" in the "listen" directive is declared obsolete.
- Removed support for Server push in HTTP/2.
- Discontinued support for the "ssl" directive previously declared obsolete.
- Resolved issues when using HTTP/3 when building with OpenSSL[3].
Version nginx 1.24.0
On April 12, 2023, it became known that after 11 months of development, a stable branch was presented HTTP-servers and a multi-protocol proxy servers nginx 1.24.0, which incorporated the changes accumulated in the main branch 1.23.x. In the future, all changes in the stable branch 1.24 will be associated with the elimination of serious errors and. Soon, vulnerabilities the main nginx 1.25 branch will be formed, in which additional opportunities will continue to be developed. For ordinary users who do not have the task of ensuring compatibility with third-party modules, it is recommended to use the main branch, on the basis of which releases of the commercial product Nginx Plus are formed every three months.
As reported, in accordance with the March report of the company Netcraft nginx is used on 18.94% of all active sites (a year ago 20.08%, two years ago 20.15%), which corresponds to the second place in popularity in this category (the share Apache corresponds to 20.52% (a year ago 22.58%, two years ago 25.38%), - Cloudflare 11.32% (10.42%, 8.51%), - Google 9.89% (8.89%, 10.09%). At the same time, when considering all sites, nginx retains leadership and occupies 25.94% of the market (31.13% a year ago, 35.34% two years ago), while Apache's share corresponds to 20.58% (23.08%), Cloudflare - 10.17% (5.49%), OpenResty (platform based on nginx and LuaJIT) - 7.94% (8.01%).
Among the million most visited sites in the world in 2023, Cloudflare took the lead, with a share of 21.62%. For comparison, the share of nginx is 21.37% (a year ago 21.79%, two years ago 23.06%), and Apache httpd - 21.18%. For 2023, about 289 million sites operate under the management of nginx (a year ago 361 million). According to W3Techs, nginx is used on 34.5% of sites out of the million most visited, in April 2022 this figure was 33.1%, the year before last - 33.8%. Apache's share for the year increased from 31.3% to 32.2%, and Node.js' share from 1.8% to 2%. The share of Microsoft IIS decreased from 6% to 5.6%, and the share of LiteSpeed from 12.2% to 11.8%. In Russia, nginx is used on 81.3% of the most visited sites (a year ago - 79.8%).
The most noticeable changes added during the formation of the main branch 1.23.x:
- By default, the TLSv1.3 protocol is enabled.
- Automatic rotation of encryption keys for TLS session tickets is provided, which is used when using shared memory in the ssl_session_cache directive.
- Optimization of memory consumption in proxying configurations was carried out. SSL
- Added support for the variables "$ proxy_protocol_tlv_*," in which the values of the TLV (Type-Length-Value) fields that appear in the Type-Length-Value PROXY v2 protocol are written.
- The ngx_http_gzip_static_module module has added support for byte ranges.
- The " resolver" directive has added the "ipv4 = off" parameter, which allows you to disable the search for IPv4 addresses when converting names and addresses.
- The internal API has been redone, the header strings are now passed in the form of a linked list.
- The header strings with identical names are combined when transmitted to the FastCGI, SCGI and uwsgi backends, in the $ r- > header_in () method of the ngx_http_perl_module module and in the variables "$ http _...," "$ sent_http _...," "$ sent_trailer _...," "$ upstream_http _..." and "$ upstream_trailer _...."
- A warning is provided in case of overriding the settings of the used protocols for the listening socket.
- The level of logs for many SSL errors is reduced from critical to informational.
- On the Windows platform, the ngx_http_autoindex_module and ngx_http_dav_module modules, as well as the include directive, have added support for non-ASCII characters in file names. Windows has also built nginx with OpenSSL 3.0[4].
2022
Vulnerability Remediation Versions 1.22.1 and 1.23.2
The release of the main branch of nginx 1.23.2 has been formed, within the framework of which the development of additional capabilities continues, as well as the release of the parallel supported stable branch of nginx 1.22.1, which only makes changes related to the elimination of serious errors and vulnerabilities. This became known on October 19, 2022.
The updated versions fixed two vulnerabilities (CVE-2022-41741, CVE-2022-41742) in the ngx_http_mp4_module module, which is used to organize streaming from files in H.264/AAC format. Vulnerabilities can lead to memory corruption or leakage of memory content when processing a specially designed file in mp4 format. The consequences are the emergency termination of the workflow, but other manifestations are not excluded, such as the organization of code execution on the server.
It is noteworthy that a similar vulnerability was already fixed in the ngx_http_mp4_module module in 2012. In addition, F5 reported a similar vulnerability (CVE-2022-41743) in the NGINX Plus product affecting the ngx_http_hls_module module that provides support for the HLS (Apple HTTP Live Streaming) protocol.
In addition to eliminating vulnerabilities, the following changes have been proposed in nginx 1.23.2:
- Added support for the variables "$ proxy_protocol_tlv_*," in which the values of the TLV (Type-Length-Value) fields that appear in the Type-Length-Value PROXY v2 protocol are written.
- Automatic key rotation enciphering for session tickets is provided, TLS which is used when using shared memory in the ssl_session_cache directive.
- The level of logging for errors associated with an incorrect type of SSL records has been lowered from critical to information level.
- The log maintenance level for messages about the inability to allocate memory for a new session has been changed from alert to warn and is limited to the output of one record per second.
- The Windows platform is built with OpenSSL 3.0.
- The reflection of PROXY protocol errors in the log has been established.
- Addressed issue where OpenSSL or BoringSSL-based TLSv1.3 does not run the timeout specified in the ssl_session_timeout directive[5].
Release of nginx 1.23.0 main branch
The first release of the updated main nginx 1.23.0 branch was presented, within which the development of new opportunities will continue. This became known on June 21, 2022. In the parallel supported stable branch 1.22.x, only changes are made related to the elimination of serious errors and vulnerabilities. In 2023, a stable 1.24 branch will be formed on the basis of the main 1.23.x branch.
Major changes:
- The internal API has been redone, the header strings are now passed in the form of a linked list.
- The header strings with identical names are combined when transmitted to the FastCGI, SCGI and uwsgi backends, in the $ r- > header_in () method of the ngx_http_perl_module module and in the variables "$ http _...," "$ sent_http _...," "$ sent_trailer _...," "$ upstream_http _..." and "$ upstream_trailer _...."
- For SSL errors "application data after close notify," the level of logs is lowered from "crit" to "info."
- Addressed problem with hanging connections on nginx built on Linux systems with kernel 2.6.17 and newer, but used on systems without EPOLLRDHUP support (for example, when using epoll emulation).
- Addressed issue with caching responses if the "Expires" header disallowed caching and "Cache-Control" allowed.
- The problems are solved, which appear if the backend issued several "Vary" and "WWW-Authenticate" headers in the response.
Possible vulnerability 0-day in Nginx 1.18
On April 12, 2022, it became known that a week earlier, a page Twitter related to hacker group BlueHornet appeared about information for software vulnerabilities authentications users. Nginx LDAP According to them, they hackers prepared an experimental exploit for Nginx 1.18, testing which they found that a number of companies and corporations were vulnerable to it.
As the hackers explained, the operation vulnerabilities takes place in two stages. The first stage is LDAP injection (a type attacks on a web application that provides for the creation of LDAP statements based on user input). data
According to BlueHornet, the group intended to report its discovery to the Nginx security team through the bug bounty platform HackerOne. Later, a GitHub page was created with detailed explanations for the exploitation of the vulnerability.
The group said the vulnerability affects Nginx's default configurations and criticized the developers for not responding to its message in any way. According to the hackers, they tested their exploit on the Royal systems, bank Canada however, it is not known whether they were hacked. Later, the group also announced breaking representative systems of Chinese UBS Securities.
On Monday, April 11, the Nginx developers released a statement regarding the vulnerability and noted that it affects only reference implementations, but not Nginx Open Source and Nginx Plus.
As explained in the company, reference implementations are susceptible to vulnerabilities in three cases: if command line parameters were used to configure the daemon; Optional configuration parameters apply LDAP authentication depends on the specific group membership. For all three cases, methods have been developed to protect against exploitation of the vulnerability.[6]
2017
NGINX Application Platform
The NGINX Application Platform is a set of four open source products designed to help companies develop or upgrade web applications faster and more consistently.
NGINX Unit Application Server
On September 14, 2017, the beta version of the NGINX Unit application server, one of the components of the NGINX Application Platform, was launched. Using the NGINX Unit creates fewer layers between the user and the executable code, which reduces the load on the server and allows you to withstand more RPS. Testing was carried out by the expert company of remote administration of ITSumma servers.
ITSumma tested one of the components of the NGINX Unit platform - a server that allows you to run web applications written in various programming languages (PHP, Python, Go). An approximate set of typical configurations was developed for deploying web applications on Laravel, 1C-Bitrix and Wordpress, and a load test was carried out on projects launched on the NGINX Unit as a backend server and NGINX as a frontend server. As a result of the tests, a number of shortcomings and errors were identified. All of them were promptly fixed by NGINX.
In the market, the PHP bundle with PHP-FPM or the Apache web server, Python applications via uWSGI, has become an unspoken standard. And if you need to support different versions of PHP, the only way out was to run several PHP-FPM process managers with different configurations at the same time.
Now NGINX Unit helps developers and organizations avoid chaos in the configuration of the components of complex heterogeneous systems, and configuration through the REST API makes it much easier to build an infrastructure on complex microservice architectures.
Nginx Plus R12
On March 15, 2017, Nginx announced the release of the Nginx Plus R12 web server. It includes a number of functions, including content scalability and caching, improvements in configuration management within the cluster, and nginScript programming capabilities.
NGINX Plus is a software application delivery platform that includes a load balancer, content cache[7] web server[7].
The release is designed in response to user requests to improve programmability, scalability and automated management, the developer said. The release also includes other functions: configuration management within the cluster, the ability to safely auto-scale load-balanced applications with proactive application-level readiness checks.
Other modifications of the Plus R12 release include the process of checking and distributing load balancing and web server configuration across the NGINX Plus server cluster. The company said: The script language-based nginScript configuration tool, first released in 2015, "has reached maturity and is fully supported in NGINX Plus."
2002: nginx
The product was created by Igor Sysoev in 2002.
Since July 2011, work on the product has been continued by Nginx.
HTTP server, properties
- maintenance of immutable requests, index files, automatic creation of a list of files, open file handle caches
- accelerated proxying without caching, simple load sharing and fault tolerance
- caching support for accelerated proxying and FastCGI
- accelerated support for FastCGI and memcached servers, simple load sharing and fault tolerance
- modularity, filters including gzip, byte-ranges, chunked responses, HTTP authentication, SSI filter
- Multiple subqueries per page processed in a proxy or FastCGI SSI filter run in parallel
- SSL support
- PSGI, WSGI support
- experimental support for the built-in Perl
SMTP/IMAP/POP3-process the server
- redirecting the user to an SMTP/IMAP/POP3 backend using an external HTTP authentication server
- simple authentication (LOGIN, USER/PASS)
- support SSL and STARTTLS
Notes
- ↑ nginx release 1.25.2
- ↑ Some servers with nginx remain vulnerable to Nginx Alias Traversal technology.
- ↑ Release nginx 1.25.1
- ↑ Release nginx 1.24.0
- ↑ Update nginx 1.22.1 and 1.23.2 to fix vulnerabilities
- ↑ Developers are exploring a possible 0-day vulnerability in NGINX
- ↑ 7,0 7,1 [https://www.pcweek.ru/infrastructure/article/detail.php?ID=193108 and NGINX Plus Release 12