Nginx配置CORS跨域漏洞
1、问题描述
CORS 策略根据任意初始头进行设置
严重性: 中
CVSS 分数: 5.3
URL:: http://192.168.100.190:8080/
实体: 192.168.100.190 (Page)
风险: 可能会收集有关 Web 应用程序的敏感信息,如用户名、密码、机器名和/或敏感文件位置
可能会劝说初级用户提供诸如用户名、密码、信用卡号、社会保险号等敏感信息
原因: 不安全的 Web 应用程序编程或配置
固定值: 修改“Access-Control-Allow-Origin”头以仅获取允许的站点
差异: 标题 Origin 已添加至请求: http://bogus.hcl.com
推理: AppScan 检测到“Access-Control-Allow-Origin”头的许可权太多
2、解决方法一:添加请求头(无效)
location / {
add_header Access-Control-Allow-Origin 'http://192.168.100.190:8080';
add_header Access-Control-Allow-Methods GET, POST, OPTIONS;
add_header Access-Control-Allow-Headers Content-Type;
} 发现即使添加了请求头配置,当origin为其他域名时仍能正常访问。 这个办法并不管用
3、解决方法二:http下配置map指令(可行)
http {
...省略
# 1、定义合法 Origin 映射表(支持正则匹配)
map $http_origin $allow_cors {
default "";
~*^http://192.168.100.190:8080$ $http_origin; # 允许当前服务地址
"~http://192.168.100.190:8080/*" $http_origin;
"~http://192.168.100.190:*" $http_origin;
"~*" "";
}
#2、在对应的后端请求添加配置,通过map做正则匹配
if ($allow_cors = ""){
return 403;
}
效果如下:
$ curl -H "Origin: http://192.168.100.190:8080" -I http://192.168.100.190:8080/aifn/ysh/api/api/public-service/statistics
HTTP/1.1 405
Server: nginx
Date: Tue, 29 Apr 2025 08:15:29 GMT
Content-Type: application/json
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: http://192.168.100.190:8080
Access-Control-Allow-Credentials: true
Allow: POST
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
$ curl -H "Origin: http://bogus.hcl.com" -I http://192.168.100.190:8080/aifn/ysh/api/api/public-service/statistics
HTTP/1.1 403 Forbidden
Server: nginx
Date: Tue, 29 Apr 2025 08:15:38 GMT
Content-Type: text/html
Content-Length: 146
Connection: keep-alive
完整的配置文件:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
server_tokens off;
#include /etc/nginx/conf.d/*.conf;
# 定义合法 Origin 映射表(支持正则匹配)
map $http_origin $allow_cors {
default "";
~*^http://192.168.100.190:8080$ $http_origin; # 允许当前服务地址
"~http://192.168.100.190:8080/*" $http_origin;
"~http://192.168.100.190:*" $http_origin;
"~*" "";
}
server {
listen 80;
server_name localhost;
client_max_body_size 2048M;
server_tokens off;
#charset koi8-r;
access_log /var/log/nginx/host.access.log main;
error_log /var/log/nginx/error.log error;
#error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# 处理 /yshj 路径(独立目录)
location /aifn/ysh {
alias /usr/share/nginx/html/aiyshj/dist; # 映射到 dist 目录
index index.html index.htm;
try_files $uri $uri/ /aiyshj/index.html; # 回退到子目录的 index.html
# 代理 Cookie 安全设置(若需要代理则保留)
proxy_cookie_flags ~ secure samesite=lax httponly;
}
location /aifn/ysh/api/ {
if ($allow_cors = ""){
return 403;
}
proxy_pass http://192.168.0.109:18092/api/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For- $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
}Nginx配置origin限制,修复CORS跨域漏洞_清晨的技术博客_51CTO博客
本文由博客一文多发平台 OpenWrite 发布!
java
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。