nginx: replace $http_host by $host, cf https://github.com/yandex/gixy/blob/master/docs/en/plugins/hostspoofing.md / Credit to A.Wolski

2024-09-03 20:06:10 +02:00 · 2023-07-04 15:00:02 +02:00 · 2023-07-04 15:00:02 +02:00 · 3957b10e92
commit 3957b10e92
parent 36a17dfdbd
3 changed files with 3 additions and 3 deletions
--- a/conf/nginx/redirect_to_admin.conf
+++ b/conf/nginx/redirect_to_admin.conf
@ -1,3 +1,3 @@
 location / {
-    return 302 https://$http_host/yunohost/admin;
+    return 302 https://$host/yunohost/admin;
 }
--- a/conf/nginx/server.tpl.conf
+++ b/conf/nginx/server.tpl.conf
@ -25,7 +25,7 @@ server {
    {# Note that this != "False" is meant to be failure-safe, in the case the redrect_to_https would happen to contain empty string or whatever value. We absolutely don't want to disable the HTTPS redirect *except* when it's explicitly being asked to be disabled. #}
    {% if redirect_to_https != "False" %}
    location / {
-        return 301 https://$http_host$request_uri;
+        return 301 https://$host$request_uri;
    }
    {# The app config snippets are not included in the HTTP conf unless HTTPS redirect is disabled, because app's location may blocks will conflict or bypass/ignore the HTTPS redirection. #}
    {% else %}
--- a/conf/nginx/yunohost_api.conf.inc
+++ b/conf/nginx/yunohost_api.conf.inc
@ -4,7 +4,7 @@ location /yunohost/api/ {
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
-    proxy_set_header Host $http_host;
+    proxy_set_header Host $host;

    {% if webadmin_allowlist_enabled == "True" %}
    {% for ip in webadmin_allowlist.split(',') %}