0

I have nginx running locally, alongside my local test SOAP server. I am using SoapUI to send soap requests to this server via nginx, eg SoapUI -> Nginx:80 -> SoapSever:9338.

My goal is to strip out non-standard headers, to tighten up security. I want to keep content-type, accept, etc, but I want to strip headers such as myHeader1, or abc=xyz.

As part of my testing, I am sending custom headers, and I can see them arriving at my server on the far side, so nginx isnt doing any filtering. I tried using ignore_invalid_headers on; in my /etc/nginx/nginx.conf file under http {}, but I think it means something different to what I think it means, as it doesnt strip any headers.

I can see from the docs that you can add headers, or change specific headers, but can I either strip out all non-standard/custom headers, or can I specify a list of headers that I only want to accept?

Thank you.

Improve this question

1 Answer 1

Reset to default
2

The ignore_invalid_headers directive only ignores headers which are wrongly formatted.
To clear certain headers you could have a look at the more_clear_headers directive.

See http://wiki.nginx.org/NginxHttpHeadersMoreModule#more_clear_headers for more details.

It's not part of the standard nginx distribution so you will have to install it manually.

Example

more_clear_headers 'X-*';

Will clear all headers starting with X-

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thanks. So you're saying I can't filter these headers without an addon? If I install that addon, is it possible to filter all headers except a specified few? Because X-* wont block header or headerXYZ or whatever a hacker decided to make up.
Yes you need the addon. It still doesn't provide the exact functionality that you wan't but it's the closest thing. You could also write your own addon if you're up for it. wiki.nginx.org/3rdPartyModules#Tools_for_module_developers
I found an old github repo that tried to do similar. But I've no idea if it works: github.com/localshred/nginx-whitelist
Looks hopeful! But I wouldn't know if it works either. If you want to dive deep then here is an article about developing modules. It also covers building. evanmiller.org/nginx-modules-guide.html

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.