summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJacob Vosmaer <jacob@gitlab.com>2016-07-12 17:22:10 +0200
committerJacob Vosmaer <jacob@gitlab.com>2016-07-12 19:50:20 +0200
commit47b5b441395921e9f8e9982bb3f560e5db5a67bc (patch)
tree05029811e5ee76d91fc1d09bba1596caaa67d98e
parent97999fd4203846ad807de18eab5d7a2176344ce1 (diff)
downloadgitlab-ce-47b5b441395921e9f8e9982bb3f560e5db5a67bc.tar.gz
Defend against 'Host' header injection
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/17877 . This change adds 'defense in depth' against 'Host' HTTP header injection. It affects normal users in the following way. Suppose your GitLab server has IP address 1.2.3.4 and hostname gitlab.example.com. Currently, if you enter 1.2.3.4 in your browser, you get redirected to 1.2.3.4/users/sign_in. After this change, you get redirected from 1.2.3.4 to gitlab.example.com/users/sign_in. This is because the address you typed in the address bar of your browser ('1.2.3.4'), which gets stored in the 'Host' header, is now being overwritten to 'gitlab.example.com' in NGINX. In this change we also make NGINX clear the 'X-Forwarded-Host' header because Ruby on Rails also uses that header the same wayas the 'Host' header. We think that for most GitLab servers this is the right behavior, and if not then administrators can change this behavior themselves at the NGINX level.
-rw-r--r--CHANGELOG1
-rw-r--r--lib/support/nginx/gitlab7
-rw-r--r--lib/support/nginx/gitlab-ssl7
3 files changed, 13 insertions, 2 deletions
diff --git a/CHANGELOG b/CHANGELOG
index ee3ee4c37d6..852a123f0cd 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -78,6 +78,7 @@ v 8.10.0 (unreleased)
- Add reminder to not paste private SSH keys !4399 (Ingo Blechschmidt)
- Remove duplicate `description` field in `MergeRequest` entities (Ben Boeckel)
- Style of import project buttons were fixed in the new project page. !5183 (rdemirbay)
+ - Overwrite Host and X-Forwarded-Host headers in NGINX !5213
v 8.9.6 (unreleased)
- Fix importing of events under notes for GitLab projects
diff --git a/lib/support/nginx/gitlab b/lib/support/nginx/gitlab
index d521de28e8a..4a4892a2e07 100644
--- a/lib/support/nginx/gitlab
+++ b/lib/support/nginx/gitlab
@@ -49,7 +49,12 @@ server {
proxy_http_version 1.1;
- proxy_set_header Host $http_host;
+ ## By overwriting Host and clearing X-Forwarded-Host we ensure that
+ ## internal HTTP redirects generated by GitLab always send users to
+ ## YOUR_SERVER_FQDN.
+ proxy_set_header Host YOUR_SERVER_FQDN;
+ proxy_set_header X-Forwarded-Host "";
+
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
diff --git a/lib/support/nginx/gitlab-ssl b/lib/support/nginx/gitlab-ssl
index bf014b56cf6..0b93d7f292f 100644
--- a/lib/support/nginx/gitlab-ssl
+++ b/lib/support/nginx/gitlab-ssl
@@ -93,7 +93,12 @@ server {
proxy_http_version 1.1;
- proxy_set_header Host $http_host;
+ ## By overwriting Host and clearing X-Forwarded-Host we ensure that
+ ## internal HTTP redirects generated by GitLab always send users to
+ ## YOUR_SERVER_FQDN.
+ proxy_set_header Host YOUR_SERVER_FQDN;
+ proxy_set_header X-Forwarded-Host "";
+
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;