Nginx ¶

Nginx is a powerful and widely-used open-source web server. It's the main concurrent of Apache. It's an event-based web server known to be faster and more powerful than Apache.

$ cat nginx.conf 
events {}

http {
    server {
        listen 80;
        server_name localhost;

        # Reverse Proxy setting "Host: ..."
        location / {
            proxy_pass http://real_target:port/
            proxy_set_header Host $http_host;
        }
    }
}

$ cat docker-compose.yml 
version: '3'
services:
  nginx:
    image: nginx:latest
    ports:
      - "8000:80"
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf
$ docker compose up   # no "-d" to see the logs
$ docker compose down # clean up

This reverse proxy configuration will allow you to access http://real_target:port/ from localhost:8000 while setting the header host to Host: localhost:8000 which is convenient during pentesting.

Nginx Alias Misconfiguration ¶

To map a route to a path, we should not use alias. Otherwise, malicious users will be able to escape the exposed folder using ../:

- # Can use http://localhost/assets../ to access "/app"
location /assets/ {
-    alias /app/assets/;
+    root /app/assets/;
}

➡️ Known tool to exploit this: Kyubi (0.1k ⭐).

• /etc/nginx/nginx.conf: configuration file
• /var/log/nginx/: logs
• lemp

$ # server { listen, location {root, dav_methods PUT} }
$ sudo ln -s /etc/nginx/sites-available/xxx.conf /etc/nginx/sites-enabled/
$ sudo rm /etc/nginx/sites-enabled/default # default conf
$ sudo nginx -t
$ sudo systemctl restart nginx.service