SoFunction
Updated on 2025-04-08

Nginx method to prevent directory traversal

introduction

Directory Traversal Attack, also known as path-traversal attacks, is a common Web security vulnerability in which an attacker attempts to access unauthorized files or directories on a web server by tampering with paths in URL requests. Successful directory traversal attacks allow attackers to read sensitive information, such as configuration files, log files, password files, etc., which may lead to full control of the server in severe cases. To prevent such attacks, Nginx provides some protections and best practices as a high-performance web server.

1. Overview of directory traversal attacks

Directory traversal attacks are an attack that accesses files that should not be exposed on a web server by modifying the file path. The attacker passed../Or similar path sequences are inserted into the URL, trying to jump out of the web server's root directory and access sensitive information in the file system. For example, an attacker can access/../../../etc/passwdTo read the password file of the Linux system, or access/../../../var/log/apache2/To steal the server's access log.

In directory traversal attacks, common methods used by attackers include:

  • use../Bounce out of the current directory:../Used to represent the parent directory, through continuous../It can go across multiple directories.
  • URL encoding: The attacker may be../Perform URL encoding (such as%2e%2e%2f), causing it to bypass the basic path filtering.
  • Path confusion: Use double slashes (//) and other methods interfere with path analysis.

2. Nginx strategy to prevent directory traversal

Nginx provides multiple methods and configuration instructions to help effectively prevent directory traversal attacks. Here are common protection strategies:

1. Restrict access to the directory

Reducing the potential attack surface is an effective means to prevent directory traversal attacks by limiting the range of directories allowed by Nginx. Common methods include:

  • Restrict access to the web root directory and ensure that no extra directories are exposed.
  • uselocationDirectives match specific files or paths to prevent access to directories that should not be exposed.

Configuration example:

server {
    listen 80;
    server_name ;
    
    # Specify the root directory and restrict path access    root /var/www/html;
    
    # Disable access to the superior directory and sensitive files    location ~ /\.\./ {
        deny all;
    }

    location / {
        try_files $uri $uri/ =404;
    }
}

In this configuration:

  • location ~ /\.\./Directives will block any inclusion../Path access.
  • try_files $uri $uri/ =404Make sure only legal file or directory access is allowed.

2. Use the deny and allow instructions

Nginx'sdenyandallowInstructions can be used to configure IP address-based access control to prevent illegal access. By configuring these instructions, the defense capabilities of directory traversal attacks can be further strengthened, limiting that only specific IP addresses can access sensitive directories or files.

Configuration example:

server {
    listen 80;
    server_name ;

    location /admin/ {
        allow 192.168.1.100;  # Only specified IP access is allowed        deny all;  # Denied other IP access    }
}

In the above configuration, only192.168.1.100This IP address can be accessed/admin/Directory and other IP addresses will be rejected.

3. Restrict requests for special characters

Directory traversal attacks usually rely on special characters in the requested URL (such as../..%2Fetc.), by configuring request filtering rules in Nginx, these illegal requests can be effectively intercepted.

Nginx can be passedngx_http_rewrite_moduleThe module performs URL rewrite or rejects illegal requests. Requests for certain characters can be restricted using regular expressions.

Configuration example:

server {
    listen 80;
    server_name ;

    # Reject requests containing directory traversal characters    location / {
        set $blocked 0;
        if ($query_string ~* "..") {
            set $blocked 1;
        }
        if ($uri ~* "..") {
            set $blocked 1;
        }
        if ($blocked) {
            return 403;  # No access        }

        # Process requests normally        try_files $uri $uri/ =404;
    }
}

In this configuration:

  • if ($query_string ~* "..")andif ($uri ~* "..")Check whether the URI and query string in the request contain.., that is, whether the directory traversal characters are included.
  • If the request contains directory traversal characters, return403 ForbiddenStatus code, reject the request.

4. Enable URL decoding filtering

Attackers may use URL encoding (e.g.%2e%2e%2f) to bypass Nginx's basic path check. To prevent this attack, URL decoding filtering can be enabled to ensure that all paths are decoded checked.

Nginx will decode the URL by default when processing requests, but we can still add some extra protections to ensure that special characters in the path are not processed incorrectly.

5. Use chroot to restrict the root directory

chrootis a technique that changes the root directory of a process to a specified directory. It can be used to restrict the file system of a web server to a secure directory, preventing attackers from accessing file system resources outside the web root directory. passchroot, Even if an attacker can use directory traversal attacks, they cannot access directories outside the web server.

In Nginx,chrootFunctions are usually supported by the operating system, so they need to be configured at the operating system level.

6. Configure disable_symlinks

Soft links (Symbolic Links) are a common file system feature in Linux and Unix-like systems that can link a file or directory to another location. Soft links can cause security risks in web applications because attackers can access sensitive files through soft links. To reduce this risk, Nginx providesdisable_symlinksOption to limit access to soft links.

Configuration example:

server {
    listen 80;
    server_name ;

    location / {
        disable_symlinks on;  # Disable access to symbolic links    }
}

3. Common directory traversal attack methods

Although Nginx provides multiple protection mechanisms, attackers always look for ways to bypass security measures. Here are some common directory traversal attack methods:

1. Use URL encoding to bypass filtering

The attacker can../Such as long as the directory traversal characters for URL encoding (such as..%2For%2e%2e%2f), trying to bypass simple character filtering. This approach may escape ordinary regular filters and access files that should not be exposed.

2. Double Slash attack

Some web servers may ignore double slashes in the URL when parsing the URL (//). Attackers can use this feature to insert double slashes into the URL to interfere with path resolution, thereby implementing directory traversal attacks.

For example, an attacker can try to access//etc/passwd, expect the server to ignore the double slashes and return the file contents.

3. Bypass path normalization

Some web servers may normalize paths when parsing paths (for example, ignoring redundant slashes or auto-resolving the paths), which an attacker may exploit by sending irregular path requests, causing the web server to bypass restrictions and access files that should not be exposed.

4. Best practices for directory traversal defense

To maximize protection of your web server from directory traversal attacks, here are some defense best practices:

  • Minimize the web root directory: only necessary directories and files are exposed. Make sure no extra directories or sensitive files are exposed to external access.
  • Strictly restrict file uploads: Strictly check the files uploaded by users to prevent uploading file names containing paths.
  • Strict configuration file permissions: Ensure that the file permissions of the web server are set correctly and restrict access to sensitive files.
  • Regular audits and monitoring: Monitor potential attacks through log analysis tools (such as fail2ban, WAF).
  • Update and patch in time: Keep Nginx and operating systems up to date to avoid known vulnerabilities being exploited by attackers.

5. Summary

Directory traversal attacks are common and dangerous security vulnerabilities in web applications. By rationally configuring Nginx and adopting a variety of protection measures, it can effectively prevent directory traversal attacks and protect the web server from threats such as data leakage or file tampering. This article details common ways to prevent directory traversal attacks through Nginx configuration and how to enhance Nginx security. Implementing these protection policies will help web administrators ensure the security of their websites and prevent sensitive information from being leaked.

This is the end of this article about the implementation of Nginx's method to prevent directory traversal. For more related content to prevent directory traversal, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!